AES encrypted passwords

freeradius-users at freeradius-users at
Fri Sep 30 12:03:16 CEST 2016

On 29/09/16 17:25, Alan DeKok wrote:
> On Sep 29, 2016, at 12:13 PM, Dom Latter
> <freeradius-users at> wrote:
>> some of you may remember me from a couple of months back asking
>> about NTLM hashed passwords.  I gave those a brief go but found
>> that some devices just didn't work with them.
> What does that mean?

It means that I replaced 'User-Password' in radcheck with an equivalent
'NT-Password'.  And I found that (for example) with one of my guinea
pig users, two of his devices continued to connect to the Wifi network
just fine, but the third did not.

> There is no "device" compatibility issues with NT hashed passwords.

See above.  From my customer's point of view, that's a device
compatibility issue, whatever it may be at a technical level.

> If you want security, store the encrypted passwords in SQL, and then
> decrypt them on the RADIUS server.  That way the SQL database has the
> passwords but not the decryption key, and the RADIUS server has the
> decryption key but not the password.

When you say "decrypt them on the radius server" - as far as I could
see that would mean writing a new module (or modifying rlm_mschap.c)
and re-compiling freeradius - is that what you meant?

> It "works", just like putting a Ferrari sticker on your car "works".
> But it doesn't add any real security.  And your car still isn't a
> Ferrari.

I could not agree more!

Thanks for your input.

More information about the Freeradius-Users mailing list