How to tell freeradius of the encryption used in DB
Hi, I am testing freeradius. I use dialup admin and mysql to add users, which is configured to store passwords in md5. The attribute is User-Password. Used radtest for testing, but seems radtest is only able to recognize cleartext password. How to tell freeradius that passwords are in md5? Should i need to use other client aside from radtest? Thanks so much, Det
On Wed, Aug 17, 2011 at 8:50 PM, det.explorer@yahoo.com <det.explorer@yahoo.com> wrote:
Hi,
I am testing freeradius. I use dialup admin and mysql to add users, which is configured to store passwords in md5. The attribute is User-Password.
Use MD5-Password attribute instead
Used radtest for testing, but seems radtest is only able to recognize cleartext password.
radtest (and other NAS client, for that matter) doesn't really care how radius store user passwords. However, for freeradius to succesfully authenticate the user, the password encryption/hash method must ne compatible with the authentication method used. If you use PAP then you can store user password in any encryption/hash method supported by freeradius (MD5, crypt, NT-hash, etc).
How to tell freeradius that passwords are in md5?
Store it as MD5-Password. As an alternative, you MIGHT be able to use auto_header (and change what's stored in User-Password attribute). See http://wiki.freeradius.org/Rlm_pap
Should i need to use other client aside from radtest?
It won't really matter -- Fajar
Fajar thanks for the reply. I checked the freeradius attribute list, there is no md5-password. Should i need to add it? If yes how to add that attribute? http://freeradius.org/rfc/attributes.html I didn't touch freeradius config on the auth protocols. I suppose, by default freeradius is set to accept all auth protocols? Do i need to say in the config use PAP exclusively? Thanks, Det On Aug 17, 2011, at 9:56 PM, "Fajar A. Nugraha" <list@fajar.net> wrote:
On Wed, Aug 17, 2011 at 8:50 PM, det.explorer@yahoo.com <det.explorer@yahoo.com> wrote:
Hi,
I am testing freeradius. I use dialup admin and mysql to add users, which is configured to store passwords in md5. The attribute is User-Password.
Use MD5-Password attribute instead
Used radtest for testing, but seems radtest is only able to recognize cleartext password.
radtest (and other NAS client, for that matter) doesn't really care how radius store user passwords.
However, for freeradius to succesfully authenticate the user, the password encryption/hash method must ne compatible with the authentication method used. If you use PAP then you can store user password in any encryption/hash method supported by freeradius (MD5, crypt, NT-hash, etc).
How to tell freeradius that passwords are in md5?
Store it as MD5-Password.
As an alternative, you MIGHT be able to use auto_header (and change what's stored in User-Password attribute). See http://wiki.freeradius.org/Rlm_pap
Should i need to use other client aside from radtest?
It won't really matter
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, Aug 17, 2011 at 10:00 PM, det.explorer@yahoo.com <det.explorer@yahoo.com> wrote:
Fajar thanks for the reply. I checked the freeradius attribute list, there is no md5-password. Should i need to add it? If yes how to add that attribute?
https://github.com/alandekok/freeradius-server/blob/v2.1.x/share/dictionary.... The attribute is internal to freeradius, and should never transmitted to/from the client.
I didn't touch freeradius config on the auth protocols. I suppose, by default freeradius is set to accept all auth protocols? Do i need to say in the config use PAP exclusively?
Let's just say that if you're using radtest without any fancy switch, then you're using PAP. -- Fajar
Thanks fajar! It worked with MD5-Password. Is there a way to use User-Password attribute in MySQL and tell freeradius somewhere what encryption algo it is using? coz dialup admin by default will use User-Password when inserting this attribute in DB. Thanks! ________________________________ From: Fajar A. Nugraha <list@fajar.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wednesday, August 17, 2011 11:04 PM Subject: Re: How to tell freeradius of the encryption used in DB On Wed, Aug 17, 2011 at 10:00 PM, det.explorer@yahoo.com <det.explorer@yahoo.com> wrote:
Fajar thanks for the reply. I checked the freeradius attribute list, there is no md5-password. Should i need to add it? If yes how to add that attribute?
https://github.com/alandekok/freeradius-server/blob/v2.1.x/share/dictionary.... The attribute is internal to freeradius, and should never transmitted to/from the client.
I didn't touch freeradius config on the auth protocols. I suppose, by default freeradius is set to accept all auth protocols? Do i need to say in the config use PAP exclusively?
Let's just say that if you're using radtest without any fancy switch, then you're using PAP. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Det Det -
det.explorer@yahoo.com -
Fajar A. Nugraha