vishal_nitr wrote:
This is what I am looking for. What is the place where RADIUS does decrypt operation.
You were told to NOT ask programming questions on this list. ...
I tried changing few things in lib/radius.c to SHA1 but with no success.
You clearly want to do programming. I've taken the liberty of unsubscribing you. This list is NOT the place to ask these questions. Your question is likely from a school course. If so, do the work yourself. Or, your question is because of some commercial needs. If so, pay someone to do the work, or get someone competent to do it for you. This is the *FreeRADIUS* list. You are not asking questions about FreeRADIUS. Therefore, your questions do not belong here. Alan DeKok.
Hello everybody, sorry for this question : i want to use encrypted passwd in "users" file without using unix files. So, i have to write : username Crypt-Password := "$1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0". How does Freeradius link the encrypted password with password ? I want to run a command wich crypt password. Wich command could i use ? My system is unix-like. Then, i want to store this encrypted password in "users" file ? i look to man rlm_pap and i set yes to auto_header. Thanks for any answer.
vazoumana fofana wrote:
i want to use encrypted passwd in "users" file without using unix files. So, i have to write :
username Crypt-Password := "$1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0".
How does Freeradius link the encrypted password with password ?
The PAP module does this. It sees the Crypt-Password as one of the formats supported for "known good" passwords. It then uses User-Password from the packet, and compares the two.
I want to run a command wich crypt password. Wich command could i use ? My system is unix-like.
See "radcrypt", which comes with the server.
Then, i want to store this encrypted password in "users" file ?
Yes.
i look to man rlm_pap and i set yes to auto_header.
You don't need to set that. Leave it as the default. Alan DeKok.
Date: Fri, 20 Apr 2012 15:47:28 +0200 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: passwd encrypted in user file
vazoumana fofana wrote:
i want to use encrypted passwd in "users" file without using unix files. So, i have to write :
username Crypt-Password := "$1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0".
How does Freeradius link the encrypted password with password ?
The PAP module does this. It sees the Crypt-Password as one of the formats supported for "known good" passwords. It then uses User-Password from the packet, and compares the two.
I want to run a command wich crypt password. Wich command could i use ? My system is unix-like.
See "radcrypt", which comes with the server. I use radcrypt but i note that for the same passwd , the encrypted passwd changes everytime. It it right ? How does freeradius link passwd and encrypt-passwd if this last changes at each run ?
I try to connect a client with encrypted passwd. I used radcrypt without option. I inserted result in users file. Here s the debug : [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: vazou [mschap] Told to do MS-CHAPv2 for vazou with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd.
Then, i want to store this encrypted password in "users" file ?
Yes.
i look to man rlm_pap and i set yes to auto_header.
You don't need to set that. Leave it as the default.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vazoumana fofana wrote:
I use radcrypt but i note that for the same passwd , the encrypted passwd changes everytime. It it right ?
Yes.
How does freeradius link passwd and encrypt-passwd if this last changes at each run ?
It works. If you want to know how, read the docs. It's what we did.
To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd.
<sigh> This question was asked and answered earlier today. Alan DeKok.
Hi,
To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd.
PEAP requires password to be either plain format or NT-Hash it cannot be 'crypted' or SHA'd or anything alan
On Fri, Apr 20, 2012 at 02:27:25PM +0000, vazoumana fofana wrote:
username Crypt-Password := "$1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0". ... To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd.
You can't, unless you use a 3rd party supplicant or Windows 8. Windows built-in only supports PEAP/MS-CHAPv2 for auth. The password has to be stored clear-text or as an NT hash. http://deployingradius.com/documents/protocols/compatibility.html This was posted to the list just earlier today. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks for your answer.
Date: Fri, 20 Apr 2012 15:36:53 +0100 From: mcn4@leicester.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: passwd encrypted in user file
On Fri, Apr 20, 2012 at 02:27:25PM +0000, vazoumana fofana wrote:
username Crypt-Password := "$1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0". ... To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd.
You can't, unless you use a 3rd party supplicant or Windows 8. Windows built-in only supports PEAP/MS-CHAPv2 for auth. The password has to be stored clear-text or as an NT hash.
http://deployingradius.com/documents/protocols/compatibility.html
This was posted to the list just earlier today.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Apr 20, 2012 at 9:27 PM, vazoumana fofana <zoumlander@hotmail.com> wrote:
I want to run a command wich crypt password. Wich command could i use ? My system is unix-like.
See "radcrypt", which comes with the server.
I use radcrypt
For completeness, you don't HAVE to use radcrypt. Any program that properly create unix crypt will work. However radcrypt is convinient since it comes with the server.
but i note that for the same passwd , the encrypted passwd changes everytime. It it right ?
Yes.
How does freeradius link passwd and encrypt-passwd if this last changes at each run ?
That's how crypt works. Read some reference for details, like http://en.wikipedia.org/wiki/Crypt_(Unix) . In particular, look for "salt". The salt can be any arbitrary or random string (thus the same password can result in different hash if the salt is different).
To configure windows client, i use PEAP with mschap V2. Is it right ? I don't find other ways to connect windows client with login/passwd.
Short version: mschap doesn't work with crypt password. Long version: please search the list archive :) -- Fajar
alan buxey wrote:
username Cleartext-Password := "{crypt}$1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0"
is also 100% valid...and neater
That should be "Password-With-Header", not "Cleartext-Password" The cleartext password is for... cleartext-passwords. Others are Crypt-Password, MD5-Password, etc. They are all in specific formats. The Password-With-Header is likely a bad name, but it accurately describes the contents. Alan DeKok.
On Fri, Apr 20, 2012 at 9:48 PM, Alan DeKok <aland@deployingradius.com> wrote:
alan buxey wrote:
username Cleartext-Password := "{crypt}$1$5oVGRb3C$PCKT5Fv7d81NZTmzEm83e0"
is also 100% valid...and neater
That should be "Password-With-Header", not "Cleartext-Password"
The cleartext password is for... cleartext-passwords. Others are Crypt-Password, MD5-Password, etc. They are all in specific formats.
The Password-With-Header is likely a bad name, but it accurately describes the contents.
The documentation (and configuration file) is probably slightly out-of-date (it still refer to User-Password), but am I right in assuming that: (1) If auto_header = no (the default), password with header should be stored in Password-With-Header attribute (2) If auto_header = yes, the password with header can be stored in Cleartext-Password attribute. Or is it in User-Password attribute, like what the docs and config file says? -- Fajar
Fajar A. Nugraha wrote:
The documentation (and configuration file) is probably slightly out-of-date (it still refer to User-Password), but am I right in assuming that:
Yes, well...
(1) If auto_header = no (the default), password with header should be stored in Password-With-Header attribute
Yes.
(2) If auto_header = yes, the password with header can be stored in Cleartext-Password attribute. Or is it in User-Password attribute, like what the docs and config file says?
Yes. Alan DeKok.
participants (5)
-
alan buxey -
Alan DeKok -
Fajar A. Nugraha -
Matthew Newton -
vazoumana fofana