AES encrypted passwords
freeradius-users at latter.org
freeradius-users at latter.org
Fri Sep 30 12:03:16 CEST 2016
On 29/09/16 17:25, Alan DeKok wrote:
> On Sep 29, 2016, at 12:13 PM, Dom Latter
> <freeradius-users at latter.org> wrote:
>>
>> some of you may remember me from a couple of months back asking
>> about NTLM hashed passwords. I gave those a brief go but found
>> that some devices just didn't work with them.
>
> What does that mean?
It means that I replaced 'User-Password' in radcheck with an equivalent
'NT-Password'. And I found that (for example) with one of my guinea
pig users, two of his devices continued to connect to the Wifi network
just fine, but the third did not.
> There is no "device" compatibility issues with NT hashed passwords.
See above. From my customer's point of view, that's a device
compatibility issue, whatever it may be at a technical level.
> If you want security, store the encrypted passwords in SQL, and then
> decrypt them on the RADIUS server. That way the SQL database has the
> passwords but not the decryption key, and the RADIUS server has the
> decryption key but not the password.
When you say "decrypt them on the radius server" - as far as I could
see that would mean writing a new module (or modifying rlm_mschap.c)
and re-compiling freeradius - is that what you meant?
> It "works", just like putting a Ferrari sticker on your car "works".
> But it doesn't add any real security. And your car still isn't a
> Ferrari.
I could not agree more!
Thanks for your input.
More information about the Freeradius-Users
mailing list