I checked my client side encryption using Mozilla's http header snoop, and found that the passwords are passing in clear text when CHAP is not enabled for RADIUS authentication.

I cannot use CHAP authentication because my passwords are already encrypted in my database. So, what's my solution? I need to fix this quick since I already have a deployment... two hotspots open to the general public right now using PAP/RADIUS in the backend.

Any chance of getting SSL support soon so I can plug in certificates and so on?

We'll look at this. What methods does your radius allow? It is fine to save them to disk encrypted but they must use some form of protection over the air.

Many radius servers encrypt their passwords on disk, however they have (and need) the ability to decrypt them for verification using CHAP, CHAPv2, and PAP. As long as your radius server supports CHAP you should be Ok.

Our RADIUS server reads encrypted passwords from a database. They are not stored anywhere in the clear, which rules out CHAP and CHAPv2. PAP works properly after the clear password is crypted and compared to the password in the database.

The only way I could use CHAP would be to have a clear text password file, which is a bit of a problem since there are 13,000 entries in our password database, and they are all encrypted. It would be quite a task to call the customers and regenerate the database with clear passwords. :-)

You have to be able to make your radius server accept CHAP. It is fine for them to store passwords encrypted but to then require clear text is just plain stupid. It secures one area and opens the real vulnerable part to prying eyes.

What is the server byt the way? Have you contacted the maker?

The only way I could use CHAP would be to have a clear text password file, which is a bit of a problem since there are 13,000 entries in our password database, and they are all encrypted. It would be quite a task to call the customers and regenerate the database with clear passwords. :-)

Do what I do what I have to do that sort of thing... turn on debug mode on the radius server, and start capturing passwords. My partner is anal about security. One day we needed to move the user database, and for chap purposes, we needed the passwords... I just turned my email and my radius servers debug mode on, and was able to harvest 98% of the users passwords in a short period. Reduced the number of people to call to a reasonably small number.

Storing encrypted passwords sounded like a good idea untill chap came along...