How to configure FeeRadius MD5-password WPA-Enterprise



  • Hi all, maybe this is a noob question:
    I setup my Unifi APs to authenticate with FreeRadius that I installed in PFsense box.
    I got them to work but only with Clear-text password.
    As soon as I switch to MD5-Password it won't authenticate.

    What do I need to do?
    FYI: Using PFsense 2.3


  • LAYER 8 Global Moderator

    if your going to take the time to setup freeradius and wpa enterprise why not just go with eap-tls?  Do you not want to install certs on your devices?

    I am currently traveling, but when I get home this weekend I will play with using md5, I currently use eap-tls.



  • We used to simply use WEP with shared key, but now there's a requirement to have individual logins so we implemented Radius.
    I don't think we need TLS, don't need to be that fancy. It's just the clear-text password makes me a bit unease. Putting the MD5 in place will give us better peace of mind.
    I wonder if there's anything specific on the Unifi APs that you need to set.


  • LAYER 8 Global Moderator

    What eap are you using.. Are you confusing that the password is stored in clear text??  Vs storing the password with a hash method?

    So your using the freeradius users vs user manager in pfsense?  All of my users are in pfsense user manager, not in freeradius.



  • 1. I am using WPA-EAP-Enterprise
    2. yes, I want to store the password in Hash
    3. Yes, I am using the Freeradius user manager to define my users.

    is this approach wrong? Now I'm even more confused how you have your users stored in pfsense manager.

    if you can help me understand what that "clear-text" implies? Besides that the password is stored in clear text, does it also imply that between the access points and the Radius server the password exchange is sent in clear text?


  • LAYER 8 Global Moderator

    I don't have any users stored in user manager, my bad on that - I just have certs created for the users in ca manager since I use eap-tls.

    What eap are you using.. You do understand only some eap support the md5 stored passwords.

    If I recall only PAP and eap-gtc work with md5 hashed passwords.  Your password is not being sent in clear, its just stored on pfsense in clear.

    edit: here you go this might help
    http://deployingradius.com/documents/protocols/compatibility.html

    Its not really that big deal stored clear



  • OK, as long as the pw is not sent in clear during any part of the auth process that is fine. I was just worried that between the Access Points and the Radius server it's doing clear text.

    Now, If I try to connect the pop up shows these:
    Wi-fi security: WPA2 Enterprise
    Authentication: Tunneled TLS
    Cert Required: no
    Inner authentication: MSCHAPv2

    Now, what does that tell you? what is "inner authentication" vs "authentication", what is it referring to?

    thanks.


  • LAYER 8 Global Moderator

    Tells me your auth is sent inside a tunnel which is encrypted.  And tells me your using mschapv2 to send your info, which is not in clear..  But is quite old

    https://en.wikipedia.org/wiki/MS-CHAP



  • Thank you.


Log in to reply