PAP and NT-hashed password

sb superabx at gmail.com
Tue Dec 30 10:46:34 CET 2014


Hello!

I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol.
Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to
do it.

When I do

radtest -t pap ....

I see from freeradius -X:

[pap] login attempt with password "n*******W"
[pap] Using clear text password "1D******************************9B"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[user/n***********W] (from client localhost port 0)
Using Post-Auth-Type Reject

So, FreeRadius compares my clear-text password with NT-hash taken from
LDAP. Of course they are mismatched and I got a reject. If I'm using this
hash as a password, it works.

At same time if I use mschap, it works well:

radtest -t mschap ...

+- entering group MS-CHAP {...}
[mschap] Found LM-Password
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] adding MS-CHAPv1 MPPE keys
++[mschap] returns ok



So the question is: how to force PAP to create NT-hash from the given
password and compare hash and hash. but not the password and hash?

Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141230/eaae2a9c/attachment.html>


More information about the Freeradius-Users mailing list