Re: Help: PAP with Sha1
vishal_nitr wrote: >This is what I am looking for. What is the place where RADIUS does > decrypt operation. You were told to NOT ask programming questions on this list. ... >>I tried changing few things in lib/radius.c to SHA1 but with no >>success. You clearly want to do programming. I've taken the liberty of unsubscribing you. This list is NOT the place to ask these questions. Your question is likely from a school course. If so, do the work yourself. Or, your question is because of some commercial needs. If so, pay someone to do the work, or get someone competent to do it for you. This is the *FreeRADIUS* list. You are not asking questions about FreeRADIUS. Therefore, your questions do not belong here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
Hi, >Although the AVP User-Password is shown here in clear text, it was not >transmitted to the server in clear text. FreeRADIUS uses the shared secret >to encrypt and decrypt the value of the User-Password AVP. correct. it was encrypted using the shared-secret , the RFCs give full documentation on how this works. > This is what I am looking for. What is the place where RADIUS does >decrypt operation. just using SHA1 one wont make it FIPS compliant as far as I can see - if it did then there would have been a mas rush for a new RADIUS RFC with such a 'simple' change. if you want to use 'industrial strength' for the transport of credentiuals in then use RADIUS with TLS over TCP (aka RADSEC). alternatively, dont use PAP for the password! make the User-Password be SHA1 or SHA256 insteadthe server can quite easily decode those to deal with the authenticationand if anyone does lurk around able to break the shared-secret (which is plausible if you dont have control of the network, client , NAS etc) then they'd be faced with a nice SHA1 or SHA256so the same result as using SHA for the shared-secret with no messing with code. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
Hi Alan, thanks for the mail. This is what we read about request authenticationAccess-Request arrives When the packet arrives at the FreeRADIUS server it is indicated by the following part:rad_recv: Access-Request packet from host 127.0.0.1 port 48698, id=73, length=57 User-Name = "alice" User-Password = "passme" NAS-IP-Address = 127.0.1.1 NAS-Port = 100We see that the incoming request contains four AVPs.Although the AVP User-Password is shown here in clear text, it was not transmitted to the server in clear text. FreeRADIUS uses the shared secret to encrypt and decrypt the value of the User-Password AVP. This is what I am looking for. What is the place where RADIUS does decrypt operation. Thanks and Regards, Vishal Kotalwar, Bangalore-35. 09900055647. From: alan buxey <a.l.m.bu...@lboro.ac.uk> Sent: Fri, 20 Apr 2012 16:50:14 To: "vishal_n...@rediffmail.com" <vishal_n...@rediffmail.com>, FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Help: PAP with Sha1 Hi, > I tried changing few things in lib/radius.c to SHA1 but with no > success. please post full putput form radiusd -X regarding using SHA1 - easy, just ensure that your passwords are stored as SHA1 objects - the docs say how to do this alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
Hi, >Thanks for the mail Alan. I don't agree with your comment that it is *not* >RADIUS if we choose SHA1 over MD5. RADIUS supports SHA1 hashed >user-password attribute. Following link confirms it. are you talking about changing user passwords (as i first assumed) or are you talking about changing the way RADIUS packets are passed (as Alan mentioned)? if the former, then no code changes are needed on the server...it takes SHA1 fine. it you are talking about doing SHA1 for the shared secret - which then encrypts the payload for passwords access-requests - then thats playing with RADIUS specification... and if you are thinking of doing that then I'd say STOP and use RADSEC instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
Thanks for the mail Alan. I don't agree with your comment that it is *not* RADIUS if we choose SHA1 over MD5. RADIUS supports SHA1 hashed user-password attribute. Following link confirms it.http://freeradius.org/radiusd/man/rlm_pap.txt.Please have a look. Thanks and Regards, Vishal Kotalwar, Bangalore-35. 09900055647. From: Alan DeKok <al...@deployingradius.com> Sent: Fri, 20 Apr 2012 17:07:45 To: vishal_n...@rediffmail.com, FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Help: PAP with Sha1 vishal_nitr wrote: > I am using free-radius-2.1.12. My requirement is to change > algorithms used in my project to FIPS complaint ones. That is changing the RADIUS protocol. It won't be compatible with any other RADIUS system on the planet. Changing the protocol is not a good idea. > I see that radius > uses MD5 for encoding/decoding passwords. I am using PAP authentication. > In my radius client I changed encoding to SHA1; due to which radius > started rejecting auth requests saying password mismatch from rlm_pap > which is obvious. > I tried changing few things in lib/radius.c to SHA1 but with no success. This list isn't the place to ask questions about coding. It's for questions related to configuring FreeRADIUS. Coding questions normally belong on the freeradius-devel list. However, because you're *not* using RADIUS, your coding questions don't belong there. We can't help you change RADIUS. I suggest debugging the program yourself. Standard C skills will help here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
alan buxey wrote: > regarding using SHA1 - easy, just ensure that your passwords are stored as > SHA1 > objects - the docs say how to do this No. He's changing the *source code* to encrypt the User-Name password via SHA1, instead of MD5. This isn't supported, and will never be supported. People who want security should use RADIUS over TLS. Using SHA1 instead of MD5 is broken and pointless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
vishal_nitr wrote: > I am using free-radius-2.1.12. My requirement is to change > algorithms used in my project to FIPS complaint ones. That is changing the RADIUS protocol. It won't be compatible with any other RADIUS system on the planet. Changing the protocol is not a good idea. > I see that radius > uses MD5 for encoding/decoding passwords. I am using PAP authentication. > In my radius client I changed encoding to SHA1; due to which radius > started rejecting auth requests saying password mismatch from rlm_pap > which is obvious. > I tried changing few things in lib/radius.c to SHA1 but with no success. This list isn't the place to ask questions about coding. It's for questions related to configuring FreeRADIUS. Coding questions normally belong on the freeradius-devel list. However, because you're *not* using RADIUS, your coding questions don't belong there. We can't help you change RADIUS. I suggest debugging the program yourself. Standard C skills will help here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
Hi, > I tried changing few things in lib/radius.c to SHA1 but with no >success. please post full putput form radiusd -X regarding using SHA1 - easy, just ensure that your passwords are stored as SHA1 objects - the docs say how to do this alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: PAP with Sha1
On 20/04/12 11:09, vishal_nitr wrote: With SHA1 from client: User-Name = "vishal" Calling-Station-Id = "00-23-68-0F-1A-E6" NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Service-Type = Framed-User NAS-IP-Address = 127.0.0.1 NAS-Identifier = "ap7131-0F1AE6" NAS-Port-Id = "0" User-Password = "\364~\224-\277\370R,\254\264\20517/\246&" This isn't SHA. This is an indication that the shared secret is wrong, thus the password decryption is mangled. Check your shared secrets at both ends. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
