radius PECL extension works well on XAMPP but unexpectedly on other Servers

Souhel Ayoub suhelayoub at gmail.com
Wed Mar 27 11:39:55 CET 2019 

hello everyone,

radius PECL extension works well on XAMPP but unexpectedly on other
Servers(IIS windows server 2016 &OR& httpd version 2.4.6 (on centos 7-6);
all 64x).

I have a php login page which authenticate users through a freeradius
server hosted by linux. The freeradius uses MariaDB 5.5.60 to store its
database. In radcheck table, the attribute assigned to to users' password
is Cleartext-Password.

Freeradius Server Info:
OS:centos-release-7-6.1810.2.el7.centos.x86_64
Radius server:FreeRADIUS version 3.0.13, for host x86_64-redhat- linux-gnu
The login page uses PHP (Version 7.2.15) and the radius PECL extension
(version 1.4.0b1); all in 64x.

On XAMPP: the authentication request sends the user's password as a clear
text as expected.
On other webserver: the authentication request sends the user's password as
an encrypted text.
I do not want this module to encrypt the password.
I could not figure out which encryption this is, or at which position it
happens.
I need help deactivating this encryption. It would also be nice if you
could provide some reference that explains encryption in freeradius server.


// PHP LOG IN Function
function radiusLogin($username, $password){
    $msg='';
    $hostname='192.168.0.22';
    $port='1812';
    $secret='radiusPass';
    $timeout='3';
    $max_tries='3';
$radius_handle= radius_auth_open();
radius_add_server($radius_handle, $hostname, $port, $secret, $timeout,
$max_tries);
radius_create_request($radius_handle, RADIUS_ACCESS_REQUEST);
radius_put_attr($radius_handle, RADIUS_USER_NAME, $username);
radius_put_attr($radius_handle, RADIUS_USER_PASSWORD, $password);
$result = radius_send_request($radius_handle);
try {
    switch ($result) {
        case RADIUS_ACCESS_ACCEPT:
            $msg='ACCEPT';
            break;
        case RADIUS_ACCESS_REJECT:
            $msg='REJECT';
            break;
        case RADIUS_ACCESS_CHALLENGE:
            $msg='CHALLENGE';
            break;
        default:
            $msg='FAILED';
    }
} catch(Exception $e) {
    $msg=$msg.'<br>'.$e->getMessage();
}
return $msg;
}

// the debug mode shows:
..
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password "???=襾W??ď?Ю?" does not match "known
good" password
(0) pap: Passwords don't match
(0)     [pap] = reject
(0)   } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) Login incorrect (pap: Cleartext password "???=襾W??ď?Ю?" does not match
"known good" password): [tom/???=襾W??ď?Ю?] (from client etageNAS port 0)
(0) WARNING: Unprintable characters in the password. Double-check the
shared secret on the server and the NAS!
..

More information about the Freeradius-Users mailing list