Using SHA512 hash for EAP-MSCHAPv2
Alan DeKok
aland at deployingradius.com
Fri Aug 24 14:16:48 CEST 2018
On Aug 24, 2018, at 1:42 AM, Lukas Nuth <l.nuth at ostfalia.de> wrote:
>
> Is it possible to authenticate a client with PEAP-MSCHAPv2 when I store the password in a MySQL database as SHA512 hash.
No.
http://deployingradius.com/documents/protocols/compatibility.html
> Or is there another way to authenticate the client? The password should be stored as SHA512 hash.
TTLS with embedded PAP. That's it.
> The client supports EAP-TLS, EAP-TTLS, LEAP and PEAP and for phase 2: PEAP-MSCHAPv2 and PEAP-TLS or EAP-TTLS with CHAP, MSCHAP, MSCHAPv2, PAP and MD5
Don't use LEAP for anything. It's insecure.
Alan DeKok.
More information about the Freeradius-Users
mailing list