Error SHA2-Password authentication

Kirchner, Christoph Christoph.Kirchner at ekom21.de
Tue Nov 3 10:21:51 CET 2015 

Hello,

I have a problem to get the configuration for user authentication with SHA2-Password up and running (also SHA/MD5-Password doesn't work).
Everythink else works, also authentication with Cleartext-Password and Crypt-Password
#####
Cleartext-Password:
pap : Login attempt with password
pap : User authenticated successfully

Crypt-Password:
pap : Login attempt with password
pap : Comparing with "known-good" Crypt-password
pap : User authenticated successfully
#####

Version: Freeradius 3.0.3
OS: SLES12

Output:
# radiusd -X
Listening on auth address * port 1812 as server default
Listening on acct address * port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 36131
Ready to process requests.
Received Access-Request Id 7 from 10.10.10.2:62047 to 10.10.20.2:1812 length 46
User-Name = 'testuser'
        User-Password = '12345678'
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0) files : users: Matched entry testuser at line 2
(0)   [files] = ok
(0) pap : Normalizing SHA2-Password from hex encoding, 64 bytes -> 32 bytes
(0)   [pap] = updated
(0)  } #  authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Auth-Type PAP {
(0) pap : Login attempt with password
(0) pap : Comparing with "known-good" SHA2-Password
(0) ERROR: pap : SHA-256 digest does not match "known good" digest
(0) pap : Passwords don't match
(0)   [pap] = reject
(0)  } # Auth-Type PAP = reject
(0) Failed to authenticate the user.
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Post-Auth-Type REJECT { ... } # empty sub-section is ignored
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
Sending Access-Reject Id 7 from 10.10.20.2:1812 to 10.10.10.2:62047
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 7 with timestamp +51
Ready to process requests.

I think the hash is correct:
# echo "12345678" | openssl dgst -sha256
# 2634c3097f98e36865f0c572009c4ffd73316bc8b88ccfe8d196af35f46e2394

/etc/raddb/users
#testuser Cleartext-Password := "12345678"
testuser SHA2-Password := "2634c3097f98e36865f0c572009c4ffd73316bc8b88ccfe8d196af35f46e2394"
#testuser Crypt-Password := "s9Xk6K7lnMWek"

What I'm doing wrong?
I read the faq and documents, but I don't get it work.

Yours Faithfully,
Christoph

More information about the Freeradius-Users mailing list