Re: (RADIATOR) Problems with SSHA password encription.

Hugh Irvine Thu, 04 Jan 2001 14:41:05 -0800

Hello Carles -

On Friday 05 January 2001 03:28, Carles Xavier Munyoz Bald� wrote:
> Hi,
> I have Radiator 2.16.3
> I'm using a DBM file to store my dialup users information using the
> encrypted format:
> myuser:Password="{SSHA}tZ9dh9AZ42Nih8L5WWz7hvXHXB1meQ==",Client-Port-DNIS="
>111222333"
>
> If I use the radpwtst tool over my radius system, all the authentication
> and accounting process goes well, but If I try to connect using a dialup
> connection the authentication fails.
>
> Using the snoop tool I see that the resquest arrives to the Radiator and
> this is the output generated by the radstock tool:
> Request (2f) - 11.11.11.11:1036 -> 22.22.22.22:1812 (L121)
>   Proxy-State            Len  6         "**B*"
>   User-Name              Len 16         "myuser@domain*"
>   CHAP-Password          Len 19         "*w**@{*****')]a|*"
>   NAS-Port               Len  6         2183
>   NAS-Port-Type          Len  6         Sync
>   Service-Type           Len  6         Framed-User
>   Framed-Protocol        Len  6         PPP
>   State                  Len  2         ""
>   Caller-Id              Len 11         "999999999"
>   Acct-Session-Id        Len 12         "999999999*"
>   Client-Port-DNIS       Len 11         "111222333"
> Reject  (2f) - 11.11.11.11:1036 <- 22.22.22.22:1812 (L42)
>   Proxy-State            Len  6         "**B*"
>   Reply-Message          Len 16         "Request
> Denied"
>
>
> If I change the encrypted format used in the DBM file:
> myuser:Password="mypassword",Client-Port-DNIS="111222333"
> then all goes fine (with the radpwtst tool and using a dialup
> connection).
>
> Have had anyone the same problem ?
> Is there any solution to it ?
>

This is a well-known problem, and it is due to you using CHAP authentication, 
which will not work with encrypted passwords.

If you want to use encrypted passwords in your database, you must use PAP 
authentication on the NAS. Alternatively, if you want to use CHAP 
authentication on the NAS, you must use have cleartext passwords in your 
database.

hth

Hugh



-- 
Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Problems with SSHA password encription.

Reply via email to
