I'm trying to setup a wireless network as shown in the picture and I'm struggling how to secure it.
Picture of Wifi Network:
My basic question is: How I can securely store passwords into MySQL database so that FreeRADIUS can read it?
Here's a longer version what I want to accomplish:
- User connects to wireless network
- User will be prompt for a username and password
- With right credentials RADIUS server will send a certificate and TLS connection can be formed.
I've got the setup working with Cleartext-passwords, but obviously I'd like to secure the passwords with some kind of hash. Now the passwords are stored as clear text even in the database. From this compatibility table I've understood if I use PEAP with MSCHAPv2 I need to use NT hash passwords. http://deployingradius.com/documents/protocols/compatibility.html
When I add a user with daloRADIUS there's only options for Cleartext-, User-, Crypt-, MD5-, SHA1- and CHAP-Password. There's no option for NT hash password. I guess this means I can't use daloRADIUS as a web GUI. I've thought that I'll just make a shell script which will easily add and remove users in the database.
In FreeRADIUS I've configured /etc/freeradius/mods-available/eap
eap {
default_eap_type = peap
peap {
default_eap_type = mschapv2
If I've understood correctly, I'm now using EAP-PEAP with MSCHAPv2 and TLS. I know I'm using TLS because with the first login attempt to wireless network freeradius -X debugging mode gives the error below. After attempting TLS the user will be asked for username and password.
(28) eap_peap: <<< TLS 1.2 [length 0002]
(28) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(28) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(28) eap_peap: ERROR: SSL says: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(28) eap_peap: ERROR: SSL_read failed inside of TLS (-1), TLS session failed
(28) eap_peap: ERROR: TLS receive handshake failed during operation
(28) eap_peap: ERROR: [eaptls process] = fail
(28) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(28) eap: Sending EAP Failure (code 4) ID 162 length 4
(28) eap: Failed in EAP select
With Cleartext-Password authentication works but when I try to put some kind of hashed password the authentication fails as seen below.
(36) Found Auth-Type = EAP
(36) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(36) authenticate {
(36) eap: Expiring EAP session with state 0x024362c402167826
(36) eap: Finished EAP session with state 0x024362c402167826
(36) eap: Previous EAP request found for state 0x024362c402167826, released from the list
(36) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(36) eap: Calling submodule eap_mschapv2 to process data
(36) eap_mschapv2: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(36) eap_mschapv2: Auth-Type MS-CHAP {
(36) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(36) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(36) mschap: Creating challenge hash with username: joujou
(36) mschap: Client is using MS-CHAPv2
(36) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(36) mschap: ERROR: MS-CHAP2-Response is incorrect
(36) [mschap] = reject
(36) } # Auth-Type MS-CHAP = reject
(36) eap: Sending EAP Failure (code 4) ID 85 length 4
So could you help me, what options do I have for hashing the passwords?
Here's the software and hardware I'm using:
- Mainly Windows 10 laptops
- TP-Link Archer C7 v2 wireless access points, running with OpenWRT Chaos Calmer 15.05 / Luci (git-15.248.30277-3836b45)
- 2 ESXi virtual machines: one is running PfSense 2.2.6 and the other one is running Ubuntu Server 14.04.
- On Ubuntu Server I've installed FreeRADIUS 3.0.10 with MySQL and daloRADIUS 0.9-9.
