Problem with LDAP authentication

Matthew Newton matthew at
Fri May 19 12:09:19 CEST 2017

On Fri, May 19, 2017 at 09:59:49AM +0000, Pircher, Sabine wrote:
> WORKS: Storing the passwords in clear-text in the LDAP database
> (Standard-PosixAccount).
> But in general I don’t like to store any passwords in
> clear-text.
> I read this article:
> and PAP inside EAP-TTLS looks good for me to store encrypted
> passwords, but I’m new to freeradius and authentication.
> What’s the best way ‘to do’ it?

Decide on a combination that works for your environment. Which
probably means evaluating what EAP methods your client
supplicants can do and then having to store passwords that are

A lot of clients can't do EAP-TTLS/PAP (e.g. Windows 7). So you
end up having to use PEAP/EAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2.
Which means storing the passwords in NTLM hash or cleartext. And
NTLM hash isn't much better than cleartext.

If all your clients support EAP-TTLS/PAP then sure, store the
passwords hashed in whatever method you like.

Or just move to EAP-TLS and use certificates. But the overheads
of that are significantly higher with cert management.


More information about the Freeradius-Users mailing list