Best/simplest authentication method to validate an encrypted user/password against encrypted known-good.
Matthew Newton
mcn at freeradius.org
Fri May 1 23:35:57 CEST 2020
On 01/05/2020 22:13, Gleb Lisikh wrote:
> The client uses EAP and MSCHAPv2 for EAP/TLS inner-tunnel authentication.
> And mschap requires Cleartext-Password for known good password. Is there
> any way to substitute such password with an encrypted (e.g. SHA1) string?
MSCHAPv2 can use *only* cleartext password, or NT hash. Nothing else
will work.
See http://deployingradius.com/documents/protocols/compatibility.html
> Anything I can do to overcome this Cleartext problem?
No, not if you use MSCHAPv2.
> On a side note, I'd also rather not use SQL or LDAP for proving an
> encrypted password
Well, you've got to get the password from somewhere. They're the common
sort of places people use to store user data.
I would advise that you use FreeRADIUS to do the authentication, rather
than trying to do something yourself in one of the language modules,
especially python, for performance reasons.
--
Matthew
More information about the Freeradius-Users
mailing list