Thanks Alan, Sven. SQL server is on the same virtual machine with freeradius. I'm also creating a web application to manage users, certificates, server settings etc - it will be hosted on the same machine.
I just thought that keeping ANY passwords ANYWHERE in plaintext form is not a good idea. But then again, if someone gains access to my server then in fact he could do anything and password would not matter. > 2 - Can I hash user passwords if I'm using eap-tls? > > 2a - if I'm using certificates for authentication, do I actually need to > > keep user passwords? Cause it seems that they aren't used during > > authentication (or I didn't find that part during debuging) > > If 2a, then no, as the certificate is the only needed credential of a > user/system, no username/password involved. > > Thats good and bad. - Good, cause it simplifies initial implementation a bit. - Bad, because I was counting i could do something like double authentication - user/password after cert verification. But in that case, is there any way to 'disable' users key in case i don't want him to access my network? What if I need to generate new user certificate as a replacement to the old one that has been lost/stolen etc? I can give 'Expiration' attribute to the account, but that doesn't solve the case, as I want to give the same user a new key. Any ideas?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
