Hi, I am using free-radius-2.1.12. My requirement is to change algorithms used in my project to FIPS complaint ones. I see that radius uses MD5 for encoding/decoding passwords. I am using PAP authentication. In my radius client I changed encoding to SHA1; due to which radius started rejecting auth requests saying password mismatch from rlm_pap which is obvious. I tried changing few things in lib/radius.c to SHA1 but with no success. I ran radiusd with -X option and I saw following:With MD5 from client: User-Name = "vishal" Calling-Station-Id = "00-23-68-0F-1A-E6" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "ap7131-0F1AE6" NAS-Port-Id = "0" User-Password = "vishal123" With SHA1 from client: User-Name = "vishal" Calling-Station-Id = "00-23-68-0F-1A-E6" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "ap7131-0F1AE6" NAS-Port-Id = "0" User-Password = "\364~\224-\277\370R,\254\264\20517/\246&" Please help me change MD5 to Sha1. A quick pointer or exact place to change will help a lot. Thanks and Regards, Vishal Kotalwar, Bangalore-35. 09900055647. Follow Rediff Deal ho jaye! to get exciting offers in your city everyday.
On 20/04/12 11:09, vishal_nitr wrote:
With SHA1 from client: User-Name = "vishal" Calling-Station-Id = "00-23-68-0F-1A-E6" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "ap7131-0F1AE6" NAS-Port-Id = "0" User-Password = "\364~\224-\277\370R,\254\264\20517/\246&"
This isn't SHA. This is an indication that the shared secret is wrong, thus the password decryption is mangled. Check your shared secrets at both ends.
alan buxey wrote:
regarding using SHA1 - easy, just ensure that your passwords are stored as SHA1 objects - the docs say how to do this
No. He's changing the *source code* to encrypt the User-Name password via SHA1, instead of MD5. This isn't supported, and will never be supported. People who want security should use RADIUS over TLS. Using SHA1 instead of MD5 is broken and pointless. Alan DeKok.
vishal_nitr wrote:
I am using free-radius-2.1.12. My requirement is to change algorithms used in my project to FIPS complaint ones.
That is changing the RADIUS protocol. It won't be compatible with any other RADIUS system on the planet. Changing the protocol is not a good idea.
I see that radius uses MD5 for encoding/decoding passwords. I am using PAP authentication. In my radius client I changed encoding to SHA1; due to which radius started rejecting auth requests saying password mismatch from rlm_pap which is obvious. I tried changing few things in lib/radius.c to SHA1 but with no success.
This list isn't the place to ask questions about coding. It's for questions related to configuring FreeRADIUS. Coding questions normally belong on the freeradius-devel list. However, because you're *not* using RADIUS, your coding questions don't belong there. We can't help you change RADIUS. I suggest debugging the program yourself. Standard C skills will help here. Alan DeKok.
participants (4)
-
alan buxey -
Alan DeKok -
Phil Mayers -
vishal_nitr