EAP-Tls with MySQL

Nicolas Roussi nicolas.roussi at archimedean.org
Sat Jun 18 18:35:23 CEST 2016

> My understanding after reviewing the debug messages is that upon association with the AP, the client performs a key exchange with FR server.
> Then, once the secure channel is setup, the client is asked to provide username and password. Is my understanding correct? I used this guide: https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise <https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise>
> That password is expected (or it defaults to) Cleartext-Password. Is there a way that I can change that? As I said before, it works. I just don’t feel comfortable saving user passwords in cleartext in my DB.

So while I was writing the above reply, I thought of the following.
I will save the password in the DB like this:
username 	|	attribute 				|	op	|	value
<username>	|	Cleartext-Password		|	:=	|	<hashed password>

And then modify the dialup.conf file for the authorize_check_query. So from:
SELECT id, username, attribute, value, op \
          FROM ${authcheck_table} \
          WHERE username = '%{SQL-User-Name}' \
          ORDER BY id

SELECT id, username, attribute, MD5(value), op \
          FROM ${authcheck_table} \
          WHERE username = '%{SQL-User-Name}' \
          ORDER BY id

Should work fine.

More information about the Freeradius-Users mailing list