EAP-TTLS MD5 hashed Passwords in MySQL Database for WPA-802.1x auth

Christian Poessinger christian at poessinger.com
Tue Jul 25 14:01:02 CEST 2006


I'm trying to setup a System to authenticate WLAN users via EAP-TTLS with
md5 crypted passwords, stored in a sql database.

I'm using MySQL as the Backend and it works great when the passwords are
stored in cleartext or UNIX crypt. When i convert the password from crypt to
md5 and change pap encryption_scheme to md5 it doen't work anymore. As I
have to use the SQL attribute field with 'Crypt-Password' in it, it seems
that it wants to use crypt passwords and not md5. I tried to change it to
'md5-password' but well ... that wasn't the answer.

Here is the error:

modcall: entering group PAP for request 4
rlm_pap: login attempt by "foo" with password bar
rlm_pap: Crypt-Password attribute but encryption scheme is not set to CRYPT
  modcall[authenticate]: module "pap" returns fail for request 4
modcall: leaving group PAP (returns fail) for request 4
auth: Failed to validate the user.
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject

Anyone has an Idea how to use the MD5 hashed Passwords in the Database with
EAP-TTLS for authentication? I appended my radius configuration. Thanks.

----------- CONFIG ------------

        eap {
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                leap {
                tls {
                        private_key_file = /etc/ssl/rad.pem
                        certificate_file = /etc/ssl/rad.pem
                        CA_file = /etc/ssl/ca.pem
                        dh_file = /etc/ssl/rad.dh
                        random_file = /dev/urandom
                        fragment_size = 1024
                        include_length = yes
                        check_crl = yes

                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no

                peap {
                        default_eap_type = mschapv2
                mschapv2 {

modules {
        pap {
                encryption_scheme = md5
authorize {
authenticate {
        Auth-Type PAP {

DEFAULT         Auth-Type = PAP
                Fall-Through = 0

-------- END OF CONFIG -------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2709 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060725/46dbf993/attachment.bin>

More information about the Freeradius-Users mailing list