[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: EAP-Tls with MySQL
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2016-06-18 16:56:30
Message-ID: 367BAE21-B2C3-4B41-8A05-04AD2903C2B0 () deployingradius ! com
[Download RAW message or body]

On Jun 18, 2016, at 12:35 PM, Nicolas Roussi <nicolas.roussi@archimedean.org> wrote:
> 
> > My understanding after reviewing the debug messages is that upon association with \
> > the AP, the client performs a key exchange with FR server. Then, once the secure \
> > channel is setup, the client is asked to provide username and password. Is my \
> > understanding correct? I used this guide: \
> > https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise \
> > <https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise>
> >  
> > That password is expected (or it defaults to) Cleartext-Password. Is there a way \
> > that I can change that? As I said before, it works. I just don't feel comfortable \
> > saving user passwords in cleartext in my DB.
> 
> So while I was writing the above reply, I thought of the following.
> I will save the password in the DB like this:
> username 	|	attribute 				|	op	|	value
> <username>	|	Cleartext-Password		|	:=	|	<hashed password>

  Don't do that.  Cleartext-Password is the CLEAR TEXT PASSWORD.

> And then modify the dialup.conf file for the authorize_check_query.

  Don't do that, either.

> Should work fine.

  It might "work".  It's not a reasonable thing to do.

  If you want to store hashed passwords in the database, read "man rlm_pap".  This is \
documented.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]