Am attempting to get a configuration using FreeRADIUS with an LDAP backend. The user accounts have their passwords stored in MD5 hases and therefore I’ve run into the same problem as in this thread:
http://forum.mikrotik.com/t/mikrotik-2-8-16-freeradius-openldap/3223/1
What alternatives can people suggest to get this working without having to reduce the security of the LDAP install by holding clear text user passwords?
As has already been explained in the discussion that you pointed us to, this is an inherent requirement of CHAP. It just must have a way to get at the cleartext password. This is inherent to all shared-secret with challenge-response authentication schemes.
There is a tradeoff between keeping the password secure in transmission (“on the wire”), CHAP will do this, or keeping it secure in the database.
One way to enhance the security of the passwords that are stored in the database is to encrypt them with a reversible algorithm. That’s of course much less secure then non-reversible, oneway algorithms such as SHA1 or MD5, but it’s better than having cleartext passwords if your database gets compromised and/or stolen.
Support for such a reversible pseudo-encryption for the passwords will need to be implemented inside the radius server, the router will not know anything about it.
The only radius server that I know of that implements this today is Radiator, see http://www.open.com.au/radiator/ref.html#pgfId=399936 and search for Rcrypt .
–Tom