Is there a best practice around credential storage?

Alan DeKok aland at
Fri Dec 20 13:53:35 CET 2019

On Dec 20, 2019, at 7:06 AM, Coy Hile <coy.hile at> wrote:
> Requiring a separate password for such things is already something I expected and will require. Are there concerns that whomever manages the directory can read that plaintext attribute (whether it be in the directory or a database?


> Or, honestly, that any actors who gain access to the RADIUS server can thus read the same?


> I’m trying to anticipate questions I’d certainly be asked by reviewers who balk at that. Being able to point and say “It’s widely considered best practice.” could help.

  Usually it's not about best practices.  It's about what's *possible*.

  It's best to say "your requirements are impossible to implement".  If you can't say that, say "we're following best practices".

  Use client certs if you can.  e.g. enterprise.

  Otherwise TTLS + PAP.  Unless you can't re-configure the clients, and then use PEAP/MS-CHAPv2, but only because you have no control over the clients.

  Using multiple passwords doesn't really help.  If the DB is compromised, then *all* passwords are compromised.

  Alan DeKok.

More information about the Freeradius-Users mailing list