Freeradius server does not authenticate when the password is in MD5
Hello guys, I have a freeradius server that is partially working, I can authenticate with passwords in plaintext and encrypted using the MD5 software 'NTRadPing Test Utility', both users than to the file 'users' as well as the MySQL database. When I try to authenticate from a notebook with windows 7, if the password is in plain text works, but if it is in MD5 not authentic, I believe that the settings in eap.conf files and other files are correct, does anyone know why infromar unable to authenticate when the password is encrypted in MD5? -- --------------------------------------------------------------------------------------------- Cordialmente, Cleiton R. de Souza
Cleiton Rodrigues de Souza wrote:
Hello guys, I have a freeradius server that is partially working, I can authenticate with passwords in plaintext and encrypted using the MD5 software 'NTRadPing Test Utility', both users than to the file 'users' as well as the MySQL database. When I try to authenticate from a notebook with windows 7, if the password is in plain text works, but if it is in MD5 not authentic, I believe that the settings in eap.conf files and other files are correct, does anyone know why infromar unable to authenticate when the password is encrypted in MD5?
It's impossible. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok.
So there is no way to authenticate Windows clients if the passwords are stored encrypted with MD5? So how can we store the passwords in the database unless they are in plaintext?? And through EAP/TTLS, no option to encrypt passwords??
On Thu, Jan 30, 2014 at 05:48:49PM -0200, Cleiton Rodrigues de Souza wrote:
So there is no way to authenticate Windows clients if the passwords are stored encrypted with MD5?
Why does everyone find this so hard to believe that they have to ask the question again? You have two options - use Windows >= 8, where you can use EAP-TTLS/PAP use a 3rd party supplicant that supports EAP-TTLS/PAP
So how can we store the passwords in the database unless they are in plaintext??
NTLM hash.
And through EAP/TTLS, no option to encrypt passwords??
Pretty much everyone uses PEAP/EAP-MSCHAPv2 for a reason: Microsoft haven't really given any other option. For password storage choices, see above. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Pretty much everyone uses PEAP/EAP-MSCHAPv2 for a reason: Microsoft haven't really given any other option. For password storage choices, see above.
Microsoft, suppliers of surprise rectal trauma since 1975. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 30 Jan 2014, at 19:48, Cleiton Rodrigues de Souza <cleitonrdesouza@gmail.com> wrote:
So there is no way to authenticate Windows clients if the passwords are stored encrypted with MD5?
Windows 8 maybe, or with the SecureW2 supplicant (Which supports EAP-TTLS PAP). Otherwise you either need to store the NT-Password or Cleartext Password, or authenticate against AD. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Cleiton Rodrigues de Souza -
Matthew Newton