AES encrypted passwords

[Dom Latter]

Hi,

[tech details at end [1]]

some of you may remember me from a couple of months back asking
about NTLM hashed passwords.  I gave those a brief go but found
that some devices just didn't work with them.

The requirement - a commercial and marketing requirement, not a
technical one - has not gone away and it is that we can say that
we do not store the passwords in plain text.

I have concocted a scheme whereby we do that - the following goes
into dialup.conf and is I hope self-explanatory:

authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = '%{SQL-User-Name}' \
AND attribute != 'AES-Password' \
UNION \
SELECT id, username, 'User-Password', \
   AES_DECRYPT(UNHEX(value), 'aeskey'), op \
FROM radcheck \
WHERE username = '%{SQL-User-Name}' \
AND attribute = 'AES-Password' \
ORDER BY id"

We replace User-Password with AES-Password, decrypt it in the sql query
and pass it back to radius /as/ User-Password.  (Or Cleartext-Password
is more likely in the final implementation).

Yes, the key is now held in /etc/freeradius and if someone gets that
as well as the database then it's much the same as storing the passwords
in plain text.  But we can *say* that they are stored encrypted - and
there may be a slight edge in security, as a file in /etc/ *may* be
less vulnerable than a mysql database.

Any thoughts on this scheme?

thanks

dom

[1] wifi network with aerohive access points; freeradius with mysql
data store; WPA2-Enterprise, MSCHAPv2, no control whatsoever over what
the users want to connect to the network.