Hi all, Sorry if this question has been posted before.
I have a simple question regarding how to ensure the user's password is never leaked or found out by anyone, including administrators of the radius server or the backend LDAP server.
My requirement is that I would like to store the user password as a hash (eg SHA-256) within the LDAP.
Now if I was to use this LDAP server as the authentication source for the Radius server for eduroam. I would need to use EAP-TTLS with PAP as the inner authentication (since I don't have a reversible password at the backend). Now I notice that because it uses PAP, if I enable user-password logging on the radius server, I can see the user's supplied password when their machine is authenticating to access eduroam.
This problem is even worse if the user is traveling at a partner's institution and using eduroam, in that if that partner insititution's RADIUS server has user-password logging enable, they too can see my user's password.
I wonder if there's anything that can be done to prevent this, or have I missed something in my understanding?
Thanks,
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
