EAP-pwd and NT-Password

Alan DeKok aland at deployingradius.com
Thu Oct 6 18:03:05 CEST 2016

On Oct 6, 2016, at 11:39 AM, Brian Candler <b.candler at pobox.com> wrote:
> I am looking at testing EAP-pwd [^1] as an alternative to PEAP for wireless authentication.
> The documentation in FreeRADIUS is unclear as to what authorization attributes are required, but digging into the source it appears to be a cleartext password:


> Now, RFC 5931 offers three options, and one of them is to use the MSCHAPv2 password hash:
> "   o   RFC 2759: The input password string SHALL be processed to produce
>       the output PasswordHashHash, as defined in [RFC2759]

  Yes.  That isn't implemented.

> This would be *really* convenient, as then I could use the control:NT-Password that I already use for PEAP. (The user database is FreeIPA and doesn't store cleartext passwords, but does have the NT hash)
> I see the "prep" field and constant definitions are in the source, e.g. EAP_PWD_PREP_MS, but the code appears to be fixed to EAP_PWD_PREP_NONE at the moment.
> Is this something which has already been considered?

  Not yet.  Mostly due to time.

> [^1] It seems that EAP-pwd and EAP-EKE have the same goal, of doing strong mutual authentication with a password. I haven't been able to find any comparison of the strengths and weaknesses of these protocols. But EAP-pwd has the advantage of being deployable: it's supported by Android and by FreeRADIUS.

  We should have EAP-EKE in v4 some time soon...

  Alan DeKok.

More information about the Freeradius-Users mailing list