Protocol and Password Compatibility
Passwords may be stored in a DB in many forms. Clear-text, MD5 hashed, crypt'd, NT hash, or other methods are all commonly used. Authentication protocols used in RADIUS are not always compatible with the way the passwords have been stored. The following table shows which protocol is compatible with what kind of password.
Clear-text | NT hash (ntlm_auth) |
MD5 hash | Salted MD5 hash | SHA1 hash | Salted SHA1 hash | Unix Crypt | |
PAP | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
CHAP | ✓ | x | x | x | x | x | x |
Digest | ✓ | x | x | x | x | x | x |
MS-CHAP | ✓ | ✓ | x | x | x | x | x |
PEAP | ✓ | ✓ | x | x | x | x | x |
EAP-MSCHAPv2 | ✓ | ✓ | x | x | x | x | x |
Cisco LEAP | ✓ | ✓ | x | x | x | x | x |
EAP-GTC | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
EAP-MD5 | ✓ | x | x | x | x | x | x |
EAP-PWD | ✓ | x | x | x | x | ✓ | ✓ |
Legend
If the correspoding cell is green (i.e. has a '✓' check mark), it means that the corresonding password storage method and the protocol are compatible, and that authentication is possible.
If the corresponding cell is red (i.e. has an 'x'), it means that the corresonding password storage method and the protocol are not compatible, and that authentication is not possible.
Notes
For EAP-TTLS, EAP-FAST and EAP-TEAP look up the tunneled protocol in the above table. For the purposes of this table, the tunneled session is just another RADIUS authentication request. So for EAP-TTLS, with tunneled PAP, look up PAP in the above table.
Similarly, PEAP normally contains EAP-MSCHAPv2 in the tunneled session, so its row in the table is identical to the EAP-MSCHAPv2 row, which is in turn identical to the MS-CHAP row.
EAP-TLS, EAP-SIM, EAP-AKA and EAP-AKA' are not mentioned in the above table as they do not use password based credentials. EAP-TLS relies on digital certificates, whilst EAP-SIM uses SIM triplets, and EAP-AKA['] uses AKA quintuplets.
EAP-PWD supports many more salted hashing schemes than listed above, see RFC8146 for more details.
Gotcha's
Many people store passwords in their databases in hashed or encrypted form. They later decide that they need to support an authentication protocol that the above table shows is incompatible with their password storage method. They then ask:
How can I make authentication protocol X work with passwords stored as Y?
The short answer is:
You can't.
The password hashes, and authentication protocols were designed to be incompatible. If the cell in the above table is red, then it's impossible to make the authentication protocol use that form of the password. Your only choices are to stop trying to use that authentication protocol, or to store the passwords in a form compatible with that authentication protocol. The last choice often means asking all users to change their passwords, unfortunately.