OpenLDAP+FreeRadius Encryption

Anirudh Malhotra 8zero2ops at
Tue Feb 2 05:22:34 CET 2016


I dont know if this is correct to do(arran or alan would comment on this), but if you change the default peap method to gtc rather than mschap both android and apple(keeping security as automatic) device work with gtc(ldap).

Anirudh Malhotra
Mail: at
Twitter: @8zero2_in

On 2 Feb 2016, 05:08 +0530, Arran Cudbard-Bell<a.cudbardb at>, wrote:
> > On Feb 1, 2016, at 6:09 PM, Greg Mischel Smith<gregms at>wrote:
> > 
> > We're using currently using freeradius 2.x and migrating to a new server
> > where we will be using 3.0.4.
> > 
> > Our OpenLDAP server has plaintext passwords currently, but as I migrate the
> > server over, I would like to encrypt and salt them (something like SSHA).
> > Both the LDAP and Radius servers will be on the same box.
> > 
> > The problem devices is our wireless clients made up of Macs and phones
> > (Android and iPhone) and the traffic passes through a Cisco WLC.
> > 
> > If I want to encrypt, then it seems I would have to use EAP-GTC along with
> > PAP. The Macs seem to only want to authenticate with MSCHAPv2. I found on
> > Android phones if I don't set the Phase 2 authentication, it only checks
> > MSCHAPv2, however if I force it to use GTC, then it authenticates
> > correctly. I did notice in the logs using GTC, it has the ability to
> > display the encrypted password in the clear. Didn't do this with MSCHAPv2.
> > 
> > So here are my questions:
> > 1. Is there something I'm missing from what I've trying and seeing above?
> iPhones can do TTLS-PAP which gives you the passwords in the clear.
> Comment out mschap in your EAP config to disallow negotiation of mschap,
> they'll try something else...
> > 2. Is GTC and PAP with encrypted passwords less secure than using MSCHAPv2
> > with Plain text passwords in LDAP (even though they are on the same box)?
> If you're serious about security EAP-TLS is the only method that's widely
> available and secure.
> PEAP and TTLS are pretty bad when used with PAP/GTC/MSCHAPv2 inners.
> They rely on the user correctly identifying the certificate presented by the
> RADIUS server as being genuine. It's not like HTTPS where you have at least
> have a domain you can check against the CN, with 802.1X you have nothing
> other than the SSID.
> If the user can't do that, then their password is effectively compromised.
> I heard rumours of an update to the EAP-PWD RFC that may allow salted
> passwords to be used. If that's correct, then the new version of EAP-PWD
> would be the only user-name/password based EAP method that was secure, and
> worked with hashed passwords.
> > 3. Should Mac's be able to use GTC? I've read that with Cisco ISE, this can
> > be force, but beyond that I couldn't come across any article discussing it.
> Unsure, but in terms of functionality it's almost identical to TTLS-PAP
> which OSX does support.
> -Arran
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list