Cisco WLC + password hashing

Matthew Newton mcn4 at
Fri Sep 9 10:39:52 CEST 2016

On Thu, Sep 08, 2016 at 08:45:59PM -0500, David Jimenez wrote:
> I am using a Cisco WLC with freeradius and it seems, regardless
> of what I do to the eap config file, the combination of
> freeradius+Cisco 2504 only allows NTLM password hashing.

I'm not sure what you're seeing. The Cisco WLCs just pass EAP
through from the client like any other NAS [should].

> I read that type of hashing is completely vulnerable now. So, is
> it worth implementing it at all or should I just use cleartext?

There's probably not much difference in either. Use EAP-TLS if you
want better security. If it's convenience (which, let's face it,
most people prefer) then PEAP/MSCHAPv2 is the most common.

> Any other users here that have a Cisco WLC, what do you usually
> do in production deployments?

We're using at least EAP-TLS, PEAP/EAP-MSCHAPv2,


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list