Feature #10415


FreeRADIUS Package: Add option to enter NT or MD5 prehashed passwords in configuration

Added by Tet-Woo Lee about 4 years ago. Updated over 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:


The FreeRADIUS Package currently provides the option to use 'Cleartext-Password' and only hashing option - 'MD5-Password'. 'MD5-Password' computes the MD5 hash of the password to prevent internal storage of cleartext passwords. However, MD5 hashed passwords only support limited Authentication protocols (PAP and EAP-GTC). NT hash passwords (NTLM hash) are supported by more protocols, including the commonly used EAP-MSCHAPv2. The user should be provided an option to use NT hash passwords if desired. While cracking these hashes is trivial, use of a hash prevents casual observers from seeing the password.

Authentication with the NT hashed password is already supported by the underlying FreeRADIUS module - using the 'NT-Password' attribute in the 'users' configuration file (e.g. "user NT-Password := "NTHASHEDPASSWORD"). Therefore, adding NT Hash as an option can be simply done by changing the pfSense FreeRADIUS configuration interface. Instead of implementing NT hashing in the package, I suggest providing the user with an option to enter a pre-hashed NT password in the configuration (with the user calculating the hash by themselves using freely available tools), i.e. an 'NT-Password (pre-hashed)' option to the FreeRADIUS user configuration. This is then stored with the 'NT-Password' attribute in the radius configuration file.

A complementary option would be 'MD5-Password (pre-hashed)', which allows the user to enter a password already hashed by MD5. As with the currently available 'MD5-Password' option, this alternative will store the password as 'MD5-Password' in the radius configuration but skip the hashing step.

This feature relates to Feature #8835. I have prepared a patch for this feature and will submit a pull request.

Actions #1

Updated by Tet-Woo Lee about 4 years ago

Link to pull request: Implements #10415 Adds prehashed NT-Password and MD5-Password to FreeRadius config

Actions #2

Updated by Jim Pingle about 4 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho about 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #4

Updated by Azamat Khakimyanov over 3 years ago

  • Status changed from Feedback to Resolved

Tested on:
2.4.5_p1 and
2.5.0-DEVELOPMENT (amd64)
built on Mon Oct 05 00:53:54 EDT 2020

NT or MD5 prehashed passwords work as expected. Tested by radtest with freeradius running on Localhost (

This feature request can be mark RESOLVED.


Also available in: Atom PDF