AES encrypted passwords

Bogdan Rudas brudas at
Thu Sep 29 18:57:30 CEST 2016

Hello Dom,

Why don't you go with EAP-TTLS+PAP ? Plain-text password transferred over
TLS-secured channel let you use any hashing algorithm you want in your
database. Sure, you have to pay attention for proper device configuration
with your CA certificate.

On Thu, Sep 29, 2016 at 7:13 PM, Dom Latter <freeradius-users at>

> Hi,
> [tech details at end [1]]
> some of you may remember me from a couple of months back asking
> about NTLM hashed passwords.  I gave those a brief go but found
> that some devices just didn't work with them.
> The requirement - a commercial and marketing requirement, not a
> technical one - has not gone away and it is that we can say that
> we do not store the passwords in plain text.
> I have concocted a scheme whereby we do that - the following goes
> into dialup.conf and is I hope self-explanatory:
> authorize_check_query = "SELECT id, username, attribute, value, op \
> FROM ${authcheck_table} \
> WHERE username = '%{SQL-User-Name}' \
> AND attribute != 'AES-Password' \
> SELECT id, username, 'User-Password', \
>   AES_DECRYPT(UNHEX(value), 'aeskey'), op \
> FROM radcheck \
> WHERE username = '%{SQL-User-Name}' \
> AND attribute = 'AES-Password' \
> ORDER BY id"
> We replace User-Password with AES-Password, decrypt it in the sql query
> and pass it back to radius /as/ User-Password.  (Or Cleartext-Password
> is more likely in the final implementation).
> Yes, the key is now held in /etc/freeradius and if someone gets that
> as well as the database then it's much the same as storing the passwords
> in plain text.  But we can *say* that they are stored encrypted - and
> there may be a slight edge in security, as a file in /etc/ *may* be
> less vulnerable than a mysql database.
> Any thoughts on this scheme?
> thanks
> dom
> [1] wifi network with aerohive access points; freeradius with mysql
> data store; WPA2-Enterprise, MSCHAPv2, no control whatsoever over what
> the users want to connect to the network.
> -
> List info/subscribe/unsubscribe? See
> /users.html

Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
E-mail: brudas at
Skype ID: bogdan.rudas


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.

More information about the Freeradius-Users mailing list