EAP-TTLS MD5 hashed Passwords in MySQL Database for WPA-802.1x auth
Hello, I'm trying to setup a System to authenticate WLAN users via EAP-TTLS with md5 crypted passwords, stored in a sql database. I'm using MySQL as the Backend and it works great when the passwords are stored in cleartext or UNIX crypt. When i convert the password from crypt to md5 and change pap encryption_scheme to md5 it doen't work anymore. As I have to use the SQL attribute field with 'Crypt-Password' in it, it seems that it wants to use crypt passwords and not md5. I tried to change it to 'md5-password' but well ... that wasn't the answer. Here is the error: --------- modcall: entering group PAP for request 4 rlm_pap: login attempt by "foo" with password bar rlm_pap: Crypt-Password attribute but encryption scheme is not set to CRYPT modcall[authenticate]: module "pap" returns fail for request 4 modcall: leaving group PAP (returns fail) for request 4 auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject --------- Anyone has an Idea how to use the MD5 hashed Passwords in the Database with EAP-TTLS for authentication? I appended my radius configuration. Thanks. ----------- CONFIG ------------ eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no leap { } tls { private_key_file = /etc/ssl/rad.pem certificate_file = /etc/ssl/rad.pem CA_file = /etc/ssl/ca.pem dh_file = /etc/ssl/rad.dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } } modules { pap { encryption_scheme = md5 } } authorize { preprocess suffix eap files sql } authenticate { Auth-Type PAP { pap } eap } users-file DEFAULT Auth-Type = PAP Fall-Through = 0 -------- END OF CONFIG -------------
aland@nitros9.org wrote:
"Christian Poessinger" <christian@poessinger.com> wrote:
As I have to use the SQL attribute field with 'Crypt-Password' in it
Why? Why not just change that?
Alan DeKok.
Well, changing it to MD5-Password results in ------------- rlm_sql (sql): No matching entry in the database for request from user [username] modcall[authorize]: module "sql" returns notfound for request 5 modcall: leaving group authorize (returns ok) for request 5 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 5 rlm_pap: login attempt by "username" with password password rlm_pap: No password (or empty password) to check against for for user username modcall[authenticate]: module "pap" returns invalid for request 5 modcall: leaving group PAP (returns invalid) for request 5 auth: Failed to validate the user. ------------ I already tried that. -CP
freeradius-users-bounces+christian=poessinger.com@lists.freeradius.org wrote:
"Christian Poessinger" <christian@poessinger.com> wrote:
Well, changing it to MD5-Password results in
In 1.1.x, use "User-Password"
Changed the content of the SQL Attribute field to 'User-Password' but I still get the same error. ------- modcall: leaving group authorize (returns ok) for request 4 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 4 rlm_pap: login attempt by "Username" with password Password rlm_pap: No password (or empty password) to check against for for user Username modcall[authenticate]: module "pap" returns invalid for request 4 modcall: leaving group PAP (returns invalid) for request 4 auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject -------- -CP
"Christian Poessinger" <christian@poessinger.com> wrote:
Changed the content of the SQL Attribute field to 'User-Password' but I still get the same error.
------- modcall: leaving group authorize (returns ok) for request 4 rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 4 rlm_pap: login attempt by "Username" with password Password
Please read the EARLIER messages in the debug log. It's obvious that the password was NOT read from SQL, so authentication will not work. Get the server to read the password from SQL. Debug log WILL SAY when the appropriate user entry is matched. Alan DeKok.
freeradius-users-bounces+christian=poessinger.com@lists.freeradius.org wrote:
Please read the EARLIER messages in the debug log. It's obvious that the password was NOT read from SQL, so authentication will not work.
Get the server to read the password from SQL. Debug log WILL SAY when the appropriate user entry is matched.
Alan DeKok.
Well, but why does it work with unix crypt passwords then? And also plaintext passwords? -CP
freeradius-users-bounces+christian=poessinger.com@lists.freeradius.org wrote:
freeradius-users-bounces+christian=poessinger.com@lists.freeradius.org wrote:
Please read the EARLIER messages in the debug log. It's obvious that the password was NOT read from SQL, so authentication will not work.
Get the server to read the password from SQL. Debug log WILL SAY when the appropriate user entry is matched.
Alan DeKok.
Well, but why does it work with unix crypt passwords then? And also plaintext passwords?
-CP
It generally seems to me to be more an EAP problem. When i to on the shell 'radtest user <password md5hash> radiusserver 0 secret' it works fine. When changing arround the Atrribute field i get wrong Atrribute errors. But with the User-Password attribute i get that strange ---- modcall: leaving group authorize (returns ok) for request 5 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject ---- error when doing EAP. With radtest it works fine. -CP
It generally seems to me to be more an EAP problem. When i to on the shell 'radtest user <password md5hash> radiusserver 0 secret' it works fine.
When changing arround the Atrribute field i get wrong Atrribute errors. But with the User-Password attribute i get that strange
---- modcall: leaving group authorize (returns ok) for request 5 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject ----
error when doing EAP. With radtest it works fine.
-CP
I'm really getting confused now ... is it actually possible to use md5 hashed passwords in a sql backend and doing EAP-TTLS for authenticating wireless clients? I had a little look at the rlm_sql and rlm_pap sourcecode and well the only attribute stuff I found was Password and Crypt-Password. So I'm thinking it could be possible that it just won't work with md5 hashed passwords and it will only work with CRYPT passwords. Anyone can answer this please? Thanks. -CP
"Christian Poessinger" <christian@poessinger.com> wrote:
I'm really getting confused now ... is it actually possible to use md5 hashed passwords in a sql backend and doing EAP-TTLS for authenticating wireless clients?
http://deployingradius.com/documents/protocols/compatibility.html See the matrix, the answer is "yes, for PAP".
I had a little look at the rlm_sql and rlm_pap sourcecode and well the only attribute stuff I found was Password and Crypt-Password. So I'm thinking it could be possible that it just won't work with md5 hashed passwords and it will only work with CRYPT passwords.
In 1.1.x, you have to tell the "pap" module that the password is stored as an MD5 hash. See it's examples & documentation. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
freeradius-users-bounces+christian=poessinger.com@lists.freeradius.org wrote:
"Christian Poessinger" <christian@poessinger.com> wrote:
I'm really getting confused now ... is it actually possible to use md5 hashed passwords in a sql backend and doing EAP-TTLS for authenticating wireless clients?
http://deployingradius.com/documents/protocols/compatibility.html
See the matrix, the answer is "yes, for PAP".
I had a little look at the rlm_sql and rlm_pap sourcecode and well the only attribute stuff I found was Password and Crypt-Password. So I'm thinking it could be possible that it just won't work with md5 hashed passwords and it will only work with CRYPT passwords.
In 1.1.x, you have to tell the "pap" module that the password is stored as an MD5 hash. See it's examples & documentation.
I think you mean this: radiusd.conf pap { encryption_scheme = md5 } Well I have this in my configuration since I tried to set this up but when you look some messages ago I got it working with crypt. With the md5 hash I always got the missing Auth-Type error. I also added an Auth-Type MD5 { pap } to the Authenticate section but I wasn't that lucky. -CP
participants (3)
-
Alan DeKok -
Alan DeKok -
Christian Poessinger