ERROR: FAILED: No NT-Password. Cannot perform authentication
Alan DeKok
aland at deployingradius.com
Wed Dec 20 13:29:44 UTC 2023
On Dec 20, 2023, at 2:47 AM, Chevy Innis via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Configure the end user device to use TTLS+PAP. It's the most secure option
>
> Is this the only option or just the most secure? I assume any auth type that is compatible with SSHA2-512 should be ok?
When you say "any auth type", that list is composed of one entry: PAP.
TTLS+PAP is just a TLS wrapper around PAP.
Think of it this way. MS-CHAP and CHAP are hashes of the password, with some crypto magic. SSHA2-512 is also a hash of the password with some crypto magic.
But they're different hashes. So you can't compare the outputs. And you can't "invert" the hashes to get the password.
So if HASH1(password) can't be compared with HASH2(password), what can you do? You have HASH1(password). What authentication methods are compatible with that?
Answer: password.
Because you can then run HASH1 yourself. And then compare HASH1(password) with HASH1(password), and see if they're identical.
Alan DeKok.
More information about the Freeradius-Users
mailing list