[strongSwan] eap-radius

Martin Willi martin at strongswan.org
Tue Nov 6 10:12:09 CET 2012

Hi Dimitry,

> Please tell - if i will use strongswan + eap-radius + freeradius - all 
> user passwords will be stored encrypted in mysql database?

This does not depend on strongSwan, but on your clients and your RADIUS
installation. If you connect Windows 7 clients with EAP-MSCHAPv2, your
RADIUS backend has to provide at least the NT hashes of your passwords.
That's not really safe, and a non-reversible encryption is not possible
with that protocol.

If you use other clients, or even our xauth-eap bridge, it depends on
the used EAP method. Our EAP-GTC for example exchanges passwords (in the
safely encrypted tunnel) in the clear, hence you can apply any hashing
function to verify them against your hashed database entries.


More information about the Users mailing list