Salted SHA security

Robert Graham robert_graham at
Mon Feb 23 21:48:07 CET 2015

Question for the Freeradius programmers/admins:

How does the authentication for the Salted SHA-512 get handled?

Yes, I know you can pull the hashed/salted password from a sql database or
locally, but how does the FreeRadius server compare the users input
password which would only be the first 64 bytesand the rest being the
salt, when the user has only entered in their username and password at the
prompts (I.E. mobile devices or laptops). Doesnt the server need to have
the users password and salt to be able to compare the pulled password with
the entered in password?

Ive been trying to do the format that was discussed earlier by changing
our code to be hash/salt appended not prepended, and by using Arrans
suggestions of:

update control {
	SSHA2-512-Password := "0x%{sql:query to get hash in hex concatenated with
salt in hex}"


update control {
	Tmp-String-0 := "%{sql:SELECT hash FROM <table> WHERE <clause>}"
	Tmp-String-1 := "%{sql:SELECT salt FROM <table> WHERE <clause>}"

update control {
	SSHA2-512-Password := "0x%{control:Tmp-String-0}%{control:Tmp-String-1}"

If I use radtest everything works just fine locally, but once PEAP is
integrated into the mix, it fails (i.e. laptop,cell phone). Am I reading
the protocol compability matrix incorrectly then?

Robert Graham
Network Engineer
U-Haul International
2727 N. Central Ave
Phoenix, AZ 85004

More information about the Freeradius-Users mailing list