OpenLDAP+FreeRadius Encryption

Greg Mischel Smith gregms at
Tue Feb 2 00:09:41 CET 2016

We're using currently using freeradius 2.x and migrating to a new server
where we will be using 3.0.4.

Our OpenLDAP server has plaintext passwords currently, but as I migrate the
server over, I would like to encrypt and salt them (something like SSHA).
Both the LDAP and Radius servers will be on the same box.

The problem devices is our wireless clients made up of Macs and phones
(Android and iPhone) and the traffic passes through a Cisco WLC.

If I want to encrypt, then it seems I would have to use EAP-GTC along with
PAP. The Macs seem to only want to authenticate with MSCHAPv2. I found on
Android phones if I don't set the Phase 2 authentication, it only checks
MSCHAPv2, however if I force it to use GTC, then it authenticates
correctly. I did notice in the logs using GTC, it has the ability to
display the encrypted password in the clear. Didn't do this with MSCHAPv2.

So here are my questions:
1. Is there something I'm missing from what I've trying and seeing above?
2. Is GTC and PAP with encrypted passwords less secure than using MSCHAPv2
with Plain text passwords in LDAP (even though they are on the same box)?
3. Should Mac's be able to use GTC? I've read that with Cisco ISE, this can
be force, but beyond that I couldn't come across any article discussing it.

I'm having trouble finding the article or thread, but I had read before the
best solution with OpenLDAP and FreeRadius is plain-text passwords in LDAP,
MSCHAPv2 for authentication and ACL's on the ldap OU's. Is this the

I would also like to prevent the ability to sniff the passwords in
whichever scenario is used.

More information about the Freeradius-Users mailing list