Hi, In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of the EAP request message. How can I get the password of the EAP request? $RAD_REQUEST{'User-Password'} won't return the password. rad_recv: Access-Request packet from host 24.26.79.31 port 50168, id=207, length=185 User-Name = "test" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "00-26-4A-FC-EB-B2" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0xce81437fce8047c9464d6ff62d386d00 Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 209 ++[files] returns ok User-Name=test User-password= rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11 rlm_perl: RAD_REQUEST: State = 0xce81437fce8047c9464d6ff62d386d00 rlm_perl: RAD_REQUEST: Calling-Station-Id = 00-26-4A-FC-EB-B2 rlm_perl: RAD_REQUEST: Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x rlm_perl: RAD_REQUEST: Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397 rlm_perl: RAD_REQUEST: User-Name = test rlm_perl: RAD_REQUEST: NAS-Identifier = belair rlm_perl: RAD_REQUEST: EAP-Message = 0x020100060319 rlm_perl: RAD_REQUEST: Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: RAD_REQUEST: EAP-Type = NAK rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.0.0.31 rlm_perl: RAD_REQUEST: NAS-Port = 0 rlm_perl: RAD_REQUEST: Framed-MTU = 1400 rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair State = 0xce81437fce8047c9464d6ff62d386d00 rlm_perl: Added pair Calling-Station-Id = 00-26-4A-FC-EB-B2 rlm_perl: Added pair Called-Station-Id = 00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x rlm_perl: Added pair Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397 rlm_perl: Added pair User-Name = test rlm_perl: Added pair NAS-Identifier = belair rlm_perl: Added pair EAP-Message = 0x020100060319 rlm_perl: Added pair Connect-Info = CONNECT 11Mbps 802.11b rlm_perl: Added pair EAP-Type = NAK rlm_perl: Added pair NAS-IP-Address = 10.0.0.31 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled
In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of the EAP request message. How can I get the password of the EAP request? $RAD_REQUEST{'User-Password'} won't return the password. [<Tim>] You can't. RADIUS Access-Request packets that use EAP do not send the password to the RADIUS server. The only attributes you can access are the ones sent in the RADIUS request, which are listed below in the debug output. rad_recv: Access-Request packet from host 24.26.79.31 port 50168, id=207, length=185 User-Name = "test" NAS-IP-Address = 10.0.0.31 NAS-Identifier = "belair" NAS-Port = 0 Called-Station-Id = "00-0D-67-12-15-80:SSO_BelAir-PMIP-8021x" Calling-Station-Id = "00-26-4A-FC-EB-B2" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0xce81437fce8047c9464d6ff62d386d00 Message-Authenticator = 0x5feafac09a6cce51d36958efc628f397
Hi,
In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of the EAP request message. How can I get the password of the EAP request? $RAD_REQUEST{'User-Password'} won't return the password.
it certainly wont for PEAPv0/MSCHAPv2 which is what your request looks like - hint, its a challenge response mechanism, the password is never disclosed alan
Hi, I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true? Thanks, ASM
Date: Wed, 5 Oct 2011 22:01:01 +0100 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: password in EAP request
Hi,
In example.pl perl script $RAD_REQUEST{'User-Name'} returns the username of the EAP request message. How can I get the password of the EAP request? $RAD_REQUEST{'User-Password'} won't return the password.
it certainly wont for PEAPv0/MSCHAPv2 which is what your request looks like - hint, its a challenge response mechanism, the password is never disclosed
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/10/11 14:06, Alex rsm wrote:
Hi,
I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true?
No. As others have said, EAP does not usually send the password. I would advise you go and read up on EAP, and how EAP methods work.
I agreed, the EAP message sent from Access Point does not send the password. The client sends the encrypted password. I think I should ask, how FreeRadius can retrieve the password in 802.1x authentication mechanism.
Date: Thu, 6 Oct 2011 14:11:34 +0100 From: p.mayers@imperial.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: password in EAP request
On 06/10/11 14:06, Alex rsm wrote:
Hi,
I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true?
No.
As others have said, EAP does not usually send the password.
I would advise you go and read up on EAP, and how EAP methods work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/10/11 14:19, Alex rsm wrote:
I agreed, the EAP message sent from Access Point does not send the password. The client sends the encrypted password. I think I should ask, how FreeRadius can retrieve the password in 802.1x authentication mechanism.
FreeRADIUS can read the password from SQL, LDAP, csv files, or "users"-style files. It can read the plaintext password, or several formats of encrypted password (which must be compatible with the EAP method) See: http://deployingradius.com/documents/protocols/compatibility.html For one specific EAP mechanism (EAP-MSCHAPv2 - possibly inside PEAP) FreeRADIUS can also delegate the password check to a windows AD controller. Is this what you are asking?
On Thu, Oct 6, 2011 at 8:06 PM, Alex rsm <alex-rsm@hotmail.com> wrote:
Hi,
I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true?
There are two EAP mechanism that sends user password in clear-text: EAP-GTC and EAP-TTLS + PAP. Both of which is not supported by Windows client. If you use one of those two mechanism then you can easily get user's cleartext password. If you use EAP-MSCHAPv2 (the most widely used) then no plugin or software can retrieve the plaintext password from the access-request packet. It's simply not possible. -- Fajar
I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true?
No...? There's http://www.willhackforsushi.com/FreeRADIUS_WPE.html, but it's not a complete solution in itself... -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
Hi,
I was told there is a plugin for FreeRadius that can be used to retrieve the username/password of the EAP request. Is this true?
No...?
There's http://www.willhackforsushi.com/FreeRADIUS_WPE.html, but it's not a complete solution in itself...
Uh, what a lame thing. It will only work on the assumption that the user does not check the server certificate, which really bad practice. The rest is a setup of FreeRADIUS which is designed to be compatible with as many EAP types as possible; so as not to disturb the end user experience. It also can't figure out if the user entered his real credentials or had a typo/intentionally put in something different. The "patch" is a few sample clients, nothing more. A nice exercise, for sure, but calling this "Pwnage Edition" is somewhat exaggerated. As I read the headline, I expected more bang for the buck :-) Greetings, Stefan Winter
participants (7)
-
Alan Buxey -
Alex rsm -
Arran Cudbard-Bell -
Fajar A. Nugraha -
Phil Mayers -
Stefan Winter -
Tim Sylvester