How to store local user password in clear-text format or with reversible encryption in CPPM 6.5.x?

By esupport posted Sep 28, 2015 04:30 PM


We noticed the ClearPass server stopped storing the local user password in clear-text format after upgraded the server to 6.5.0. We have some VoIP phones and other devices, that are authenticating against ClearPass server using the local user accounts and authentication methods like EAP-MD5, chap, etc., requires the password to be stored in clear-text to authenticate the users.

Is it possible to store the local users[Local User Repository] accounts password in clear-text format?


A new field in the cluster wide parameters was added from ClearPass 6.5.2 to store local user passwords using reverse encryption. Setting up the cluster wide parameter "Store Local User passwords using reversible encryption" to TRUE will support clear-text password based authentication against local user repository. 


Please follow the below steps to store the local user accounts for clear-text password based authentication,

Step 1: Navigate to Administration >> Server Manager >> Server Configuration >> Cluster-Wide Parameters >> Database and set the parameter "Store Local User passwords using reversible encryption" to TRUE and save the changes.

Note: You must reset the existing local user passwords after setting the above parameter to TRUE to update the passwords using reversible encryption.


Step 2:  The authentication filter of the [Local User Repository] must be modified manually to add/insert the below query to retrieve the local user's password in clear-text.

"user_credential(password) AS User_Password,"

Navigate to Configuration >> Authentication >> Sources >> [Local User Repository] >> Attributes >> Filter Name >> Authentication and update/modify the Filter Query as shown below.


You could also replace the existing filter query with the below.

SELECT user_credential(password) AS User_Password,user_credential(password_hash) AS Password_Hash,
                user_credential(password_ntlm_hash) AS Password_Ntlm_Hash,
                CASE WHEN enabled = FALSE THEN 225
                WHEN ((expire_time is not null AND expire_time <= now()) OR (passwordPolicy.expiry_days > 0 AND
                (PASSWORD_UPDATED_AT <= (now() - interval '1 days' * passwordPolicy.expiry_days))) ) THEN 226
                ELSE 0
                END AS Account_Status,
       as Role_Name,
                case when enabled=true then 'true' else 'false' end as enabled FROM tips_auth_local_users JOIN tips_role ON 
                (tips_auth_local_users.user_role =, password_policy passwordPolicy WHERE 
                passwordPolicy.usertype='LOCAL_USERS' AND user_id = '%{Authentication:Username}'



Please refer the below screen capture conforming user authentication against local user repository with the authentication method CHAP, which requires the password to be validate in clear-text.