I'm using FreeRADIUS v 2.1.1 on CentOS 5.2. I have everything working well, where I'm reading the user file for Cleartext and MD5 hashes.
Here are two examples from my user file: bob Cleartext-Password := "testing123" carol MD5-Password := "f30aa7a662c728b7407c54ae6bfd27d1" (where carol's password is just hello123) However, it appears the data I have access to is actually stored as salted MD5 hashes. An example of an SMD5 hash that doesn't work in my user file: abe SMD5-Password := "37d0aa2d0d2b1f282eb2b393c9413998:rqZAS049NrEgN9bD" (where the above is :=salted MD5 hash:salt) I see the rlm_pap man page lists SMD5-Password as an attribute, but I'm at a loss as to the correct format for the MD5 hash and its associated salt. I've tried not just the colon above, but a semicolon, dash, period, a space, or tacked the salt to the beginning or to the end. I tried looking through the src, but couldn't figure it out. The output from radiusd -X and radtest for user abe is: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 55280, id=91, length=55 User-Name = "abe" User-Password = "hellojulie" NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abe", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry abe at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "hellojulie" [pap] Using SMD5 encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> abe attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 91 to 127.0.0.1 port 55280 Waking up in 4.9 seconds. And if anyone is curious, I was told this is how these particular SMD5 entries I was given were generated: function mosMakePassword($length=8) { $salt = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; $makepass = ''; mt_srand(10000000*(double)microtime()); for ($i = 0; $i < $length; $i++) $makepass .= $salt[mt_rand(0,61)]; return $makepass; } list($hash, $salt) = explode(':', $row->password); $cryptpass = md5($passwd.$salt); if ($hash != $cryptpass) { if ( $bypost ) { mosErrorAlert(_LOGIN_INCORRECT); } else { $this->logout(); mosRedirect('index.php'); } exit(); } If anyone has any ideas or point out what I've completely misunderstood, please let me know. thanks, Julie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html