RADIUS protocol and password compatability
Passwords
Passwords may be stored in many forms including MD5 hashed, crypt'd, NT hash, or other methods. Authentication protocols used in RADIUS are not always compatible with the way the passwords have been stored.
The following table shows which protocol is compatible with what kind of password.
For EAP-TTLS, look up the tunneled protocol in the table. For the purposes of this table, the tunneled session is just another RADIUS authentication request. For example for EAP-TTLS, with tunneled PAP, look up PAP in the table.
PEAP normally contains EAP-MSCHAPv2 in the tunneled session, so its row in the table is identical to the EAP-MSCHAPv2 row, which is in turn identical to the MS-CHAP row.
Clear-text | NT hash | MD5 hash | Salted MD5 hash | SHA1 hash | Salted SHA1 hash | Unix Crypt | |
---|---|---|---|---|---|---|---|
PAP | + | + | + | + | + | + | + |
CHAP | + | - | - | - | - | - | - |
Digest | + | - | - | - | - | - | - |
MS-CHAP | + | + | - | - | - | - | - |
PEAP | + | + | - | - | - | - | - |
EAP-MSCHAPv2 | + | + | - | - | - | - | - |
Cisco LEAP | + | + | - | - | - | - | - |
EAP-GTC | + | + | + | + | + | + | + |
EAP-MD5 | + | - | - | - | - | - | - |
EAP-SIM | + | - | - | - | - | - | - |
EAP-TLS | - | - | - | - | - | - | - |