AES encrypted passwords

Matthew Newton mcn4 at
Fri Sep 30 12:25:10 CEST 2016

On Fri, Sep 30, 2016 at 11:09:34AM +0100, Dom Latter wrote:
> On 29/09/16 17:57, Bogdan Rudas via Freeradius-Users wrote:
> >Hello Dom,
> >
> >Why don't you go with EAP-TTLS+PAP ? Plain-text password transferred over
> >TLS-secured channel let you use any hashing algorithm you want in your
> As far as I can work out, out-of-the-box support for this protocol only
> arrived for most things in about 2010.  We'll have quite a lot of users
> still using machines older than that.  I suspect that for commercial
> reasons, it's not an option.  I can ask.

Most things will do EAP-TTLS/PAP these days. Windows XP/7 are the
only real big exceptions I'm aware of. And if XP is a problem then
that's the least of your issues.

> > database. Sure, you have to pay attention for proper device
> > configuration with your CA certificate.
> Do you mean a certificate needs to go on the device?
> I have had a look at this:
> for example and it does not look like a certificate *needs* installing.

It doesn't *technically* need installing. But then you're open to
your devices talking to a rogue RADIUS server and giving their
cleartext password away. So it's pretty stupid not to.

They stopped their instructions before the big certificate warning
appears on screen.

With wireless, for example, this means little more than someone
coming near your site advertising your SSID, and people hit the
"trust this wireless network" button and immediately give their
credentials away.

So yes, it needs installing.

But then, you should install a client CA root cert with pretty
much whichever EAP method you use, otherwise you risk the same
problem, to a greater or lesser degree, depending on the inner
method. So this is something you should be doing anyway.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list