Work with clear password , but not with MD5 ( but both work with radtest)
Hello ! I'm using Freeradius 2.1.12 with mysql Backend and a Ubiquity/Unify network for authenticating my wireless users Actually it work fine with users in Sql DB with User-Password := value Off course i wanted to change it for a MD5 version So i changed User-Password with MD5-Password Radtest is working fine , with both users using the MD5 and Clear Text password , replying me with auth and VLAN ID but when i try to authenticate with real world Wireless users , only the users with clear text password are working the test users with MD5 password only work with radtest I've parsed the log , and here is what seem to be different from real world vs radtest : -------------------- [pap] Normalizing MD5-Password from hex encoding [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: stephaneb [mschap] Told to do MS-CHAPv2 for stephaneb with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. ----------------------------- Can you help me ? thanks a lot !
hi, radtest is sending plain text that can then be MD5'd and compared to the stored value. Wireless clients are using MSCHAPv2 - so the challenge response stuff cannot be done with an MD5 encrypted password because the plain isnt sent to be compared. if you are worrying about the storage of credentials then maybe NTHash the password , or implement a local SAMBA environment with accounts? alan
On Oct 14, 2021, at 4:14 AM, webmaster@techshop-lille.fr wrote:
I'm using Freeradius 2.1.12
Why? v2 is EOL, and there are security fixes after after 2.1.12. You should run at least 2.2.10.
with mysql Backend and a Ubiquity/Unify network for authenticating my wireless users
Actually it work fine with users in Sql DB with User-Password := value
Off course i wanted to change it for a MD5 version
So i changed User-Password with MD5-Password
Radtest is working fine , with both users using the MD5 and Clear Text password , replying me with auth and VLAN ID
but when i try to authenticate with real world Wireless users , only the users with clear text password are working
It's impossible. http://deployingradius.com/documents/protocols/compatibility.html Security isn't a magic thing you get to apply everywhere. You have multiple options for security, some choices prevent you from using other choices. In this case, MD5 passwords in the DB prevent you from using PEAP. So you have to pick either clear-text passwords in the DB, or using TTLS+PAP. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
webmaster@techshop-lille.fr