EAP-Tls with MySQL
Hello, I have FR 2.1.12 setup with MySQL and EAP TLS. I set up my AP with WPA2 Enterprise and everything is working perfectly fine IF the user password in the database is saved as clear text. So if I have Cleartext-Password := secret It works. But if I have MD5-Password := <hashed secret> It does not. Is there a way to have it work with the MD5-Password? Thanks
On Fri, Jun 17, 2016 at 06:46:49PM -0400, Nicolas Roussi wrote:
I have FR 2.1.12 setup with MySQL and EAP TLS. I set up my AP with WPA2 Enterprise and everything is working perfectly fine IF the user password in the database is saved as clear text. So if I have Cleartext-Password := secret It works. But if I have MD5-Password := <hashed secret> It does not.
Er, EAP-TLS doesn't use passwords. What are you actually using?
Is there a way to have it work with the MD5-Password?
You might want to refer to http://deployingradius.com/documents/protocols/compatibility.html Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Jun 17, 2016, at 7:07 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Er, EAP-TLS doesn't use passwords. What are you actually using?
My understanding after reviewing the debug messages is that upon association with the AP, the client performs a key exchange with FR server. Then, once the secure channel is setup, the client is asked to provide username and password. Is my understanding correct? I used this guide: https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-... <https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise> That password is expected (or it defaults to) Cleartext-Password. Is there a way that I can change that? As I said before, it works. I just don’t feel comfortable saving user passwords in cleartext in my DB. Thanks
My understanding after reviewing the debug messages is that upon association with the AP, the client performs a key exchange with FR server. Then, once the secure channel is setup, the client is asked to provide username and password. Is my understanding correct? I used this guide: https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-... <https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise>
That password is expected (or it defaults to) Cleartext-Password. Is there a way that I can change that? As I said before, it works. I just don’t feel comfortable saving user passwords in cleartext in my DB.
So while I was writing the above reply, I thought of the following. I will save the password in the DB like this: username | attribute | op | value <username> | Cleartext-Password | := | <hashed password> And then modify the dialup.conf file for the authorize_check_query. So from: SELECT id, username, attribute, value, op \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id To: SELECT id, username, attribute, MD5(value), op \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id Should work fine.
On Jun 18, 2016, at 12:35 PM, Nicolas Roussi <nicolas.roussi@archimedean.org> wrote:
My understanding after reviewing the debug messages is that upon association with the AP, the client performs a key exchange with FR server. Then, once the secure channel is setup, the client is asked to provide username and password. Is my understanding correct? I used this guide: https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-... <https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-configure-wpa2-enterprise>
That password is expected (or it defaults to) Cleartext-Password. Is there a way that I can change that? As I said before, it works. I just don’t feel comfortable saving user passwords in cleartext in my DB.
So while I was writing the above reply, I thought of the following. I will save the password in the DB like this: username | attribute | op | value <username> | Cleartext-Password | := | <hashed password>
Don't do that. Cleartext-Password is the CLEAR TEXT PASSWORD.
And then modify the dialup.conf file for the authorize_check_query.
Don't do that, either.
Should work fine.
It might "work". It's not a reasonable thing to do. If you want to store hashed passwords in the database, read "man rlm_pap". This is documented. Alan DeKok.
On Jun 18, 2016, at 12:17 PM, Nicolas Roussi <nicolas.roussi@archimedean.org> wrote:
On Jun 17, 2016, at 7:07 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Er, EAP-TLS doesn't use passwords. What are you actually using?
My understanding after reviewing the debug messages is that upon association with the AP, the client performs a key exchange with FR server. Then, once the secure channel is setup, the client is asked to provide username and password.
Then it's not EAP-TLS. You *could* read the debug output to see what EAP method it uses...
Is my understanding correct? I used this guide: https://sites.google.com/site/strangemovement/raspberry-pi/04---install-and-...
The Wiki has documentation for getting EAP to work. If you go to http://freeradius.org/ and click on the "documentation" link, you'll get more documentation. I just don't understand why people go to bad third-party sites instead of reading the Wiki and web site.
That password is expected (or it defaults to) Cleartext-Password. Is there a way that I can change that? As I said before, it works. I just don’t feel comfortable saving user passwords in cleartext in my DB.
Read this: http://deployingradius.com/documents/protocols/compatibility.html And then decide what format passwords should be in. Alan DeKok.
participants (3)
-
Alan DeKok -
Matthew Newton -
Nicolas Roussi