freeradius sql MD5-Password pap fails

Adam Bishop Adam.Bishop at jisc.ac.uk
Thu Sep 29 13:39:37 CEST 2016


On 29 Sep 2016, at 12:32, Jan-Christoph Fuchs <jcfuchs at me.com> wrote:
> No I have changed the Database table radcheck to store MD5-Password. Tests with radtest works, but livetest will be rejected.

Your clients are using EAP-MSCHAPv2 not EAP-MD5 in the tunnel. MSCHAP is incompatible with md5 hashes.

See the matrix here: http://deployingradius.com/documents/protocols/compatibility.html

> Background: We are a BOYD school. If the solution is to install a protocoll extension on every client of our students to achieve md5 passwords, than the project is not possible and I will keep Cleartext-Password

Depends on what your clients support, but md5 is considered a broken algorithm, which may help your decision.

If you're concerned about storing cleartext passwords, you can configure your clients for TTLS/GTC and store SSHA-512 hashes in the database.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  




More information about the Freeradius-Users mailing list