Ms-Chap + NT-Password
Alan DeKok
aland at deployingradius.com
Fri Dec 21 01:13:12 CET 2018
On Dec 20, 2018, at 6:18 PM, Anton Kiryushkin <swood at fotofor.biz> wrote:
> You're right. My fault. Please see log below:
Thanks.
> ...
> (9) sql-wifi: Conditional check items matched, merging assignment check
> items
> (9) sql-wifi: NT-Password :=
> 0x6336623331333036323736373866653636626166393538616561356566363138
Again... that's all ASCII data. You've taken the hex form of the string:
c6b3130627678fe66baf958aea5ef618
And instead of just putting this into SQL:
NT-Password := 0xc6b3130627678fe66baf958aea5ef618
You've converted the ASCII representation to hex again... and then set that as the NT password.
Don't do that.
> ...
> (9) eap_mschapv2: Auth-Type MS-CHAP {
> (9) mschap: WARNING: NT-Password found but incorrect length, expected 16
> bytes got 12 bytes. Authentication may fail
And the NT password is mangled, as noted above.
Why are you converting the hex string to ASCII *twice*? Just take the output of smbencrypt, put a "0x" in front of it, and set it as NT-Password in the database:
Again:
$ smbencrypt hello
LM Hash NT Hash
-------------------------------- --------------------------------
FDA95FBECA288D44AAD3B435B51404EE 066DDFD4EF0E9CD7C256FE77191EF43C
And then:
NT-Password := 0x066DDFD4EF0E9CD7C256FE77191EF43C
You *don't* have to hex-encode the hex output of smbencrypt.
Alan DeKok.
More information about the Freeradius-Users
mailing list