AES encrypted passwords

Stefan Winter stefan.winter at
Fri Sep 30 15:57:37 CEST 2016

Am 30.09.2016 um 12:09 schrieb Dom Latter:
> On 29/09/16 17:57, Bogdan Rudas via Freeradius-Users wrote:
>> Hello Dom,
>> Why don't you go with EAP-TTLS+PAP ? Plain-text password transferred over
>> TLS-secured channel let you use any hashing algorithm you want in your
> As far as I can work out, out-of-the-box support for this protocol only
> arrived for most things in about 2010.  We'll have quite a lot of users
> still using machines older than that.  I suspect that for commercial
> reasons, it's not an option.  I can ask.
>> database. Sure, you have to pay attention for proper device
>> configuration with your CA certificate.
> Do you mean a certificate needs to go on the device?
> I have had a look at this:
> for example and it does not look like a certificate *needs* installing.

You didn't read this yet, did you? Section "User Device Configuration":

No CA checks means all your passwords are up for grabbing for everyone
with a glimpse on Enterprise Wi-Fi.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list