FreeRadius (radpostauth) and cleartext password?

S

Sergey Pribylskiy2015-05-14 14:29:31

MySQL

Sergey Pribylskiy, 2015-05-14 14:29:31

I set up a bunch of Cisco + Freeradius + Mysql.
Authentication and authorization of users is successful. But I noticed that data (password) is written to the radpostauth table in clear text
id username pass reply authdate
user12 passForUser Access-Accept 2015-05-14 14:49:4
In the radiusd.conf file, logging of successful and unsuccessful passwords is disabled (but this is for text log file)
auth_badpass = no
auth_goodpass = no
No such parameters found for MySQL table.
It is not advisable to start the radius service with such a vulnerability.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey, 2015-05-14
@bk0011m

Well, it's not that vulnerable. You do not store the password from mysql in clear text.
Everything is written here:
This table is used for logging failed login attempts. To use this, you'll need to uncomment sql inside postauth section (/usr/local/etc/raddb/sites-available/default.). Think twice before you enable this option because it can overload your server with constant inserts. Your customers will probably spend their money on wireless or wired routers so the logging attempts will come over and over.
Закомментируйте нужный параметр и ничего писаться не будет. По умолчанию строка SQL закомментирована.
Источник: www.serveradminblog.com/2011/12/freeradius-install...