password encryption problem
Hi all! I have a problem, I want to authenticate console users in cisco switches. In the 2960, the switch send the password in cleartext, nothing problem. User-Password=password but int the 2950, the switch can only send in crypted version like this: NAS-Port-Type = Virtual User-Name = test Calling-Station-Id = 192.168.*** User-Password = \\342\455\325]̍\322\tM~\237\616}\266\426 Service-Type = Login-User In the ldap database I tried all of the encription type (clear, md5, crypt, md5crypt) but every time reject the authentication: frad debug: Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [test/\\_\266\065]�?\663\tM~\667\354}\126\316] (from client switch port 1 cli 192.168.*** WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! What can I do in the freeradius, what I forgot? Thanks! Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password encryption problem
Am 31.07.2009 um 15:13 schrieb Hegedus Gabor: Hi all! I have a problem, I want to authenticate console users in cisco switches. In the 2960, the switch send the password in cleartext, nothing problem. User-Password=password Please try using Cleartext-Password := password in the users file (or similarly in databases). but int the 2950, the switch can only send in crypted version like this: NAS-Port-Type = Virtual User-Name = test Calling-Station-Id = 192.168.*** User-Password = \\342\455\325]̍\322\tM~\237\616}\266\426 Service-Type = Login-User In the ldap database I tried all of the encription type (clear, md5, crypt, md5crypt) but every time reject the authentication: frad debug: Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [test/\\_ \266\065]�?\663\tM~\667\354}\126\316] (from client switch port 1 cli 192.168.*** WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! What can I do in the freeradius, what I forgot? Thanks! Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password encryption problem
Nicolas Goutte wrote: Am 31.07.2009 um 15:13 schrieb Hegedus Gabor: Hi all! I have a problem, I want to authenticate console users in cisco switches. In the 2960, the switch send the password in cleartext, nothing problem. User-Password=password Please try using Cleartext-Password := password in the users file (or similarly in databases). as I said I tried clear text password in the ldap, and nothing changed. My user is in the ldap and not in the users file. but int the 2950, the switch can only send in crypted version like this: NAS-Port-Type = Virtual User-Name = test Calling-Station-Id = 192.168.*** User-Password = \\342\455\325]̍\322\tM~\237\616}\266\426 Service-Type = Login-User In the ldap database I tried all of the encription type (clear, md5, crypt, md5crypt) but every time reject the authentication: frad debug: Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [test/\\_\266\065]�?\663\tM~\667\354}\126\316] (from client switch port 1 cli 192.168.*** WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! What can I do in the freeradius, what I forgot? Thanks! Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: password encryption problem
Hegedus Gabor wrote: Nicolas Goutte wrote: Am 31.07.2009 um 15:13 schrieb Hegedus Gabor: Hi all! I have a problem, I want to authenticate console users in cisco switches. In the 2960, the switch send the password in cleartext, nothing problem. User-Password=password Please try using Cleartext-Password := password in the users file (or similarly in databases). as I said I tried clear text password in the ldap, and nothing changed. My user is in the ldap and not in the users file. but int the 2950, the switch can only send in crypted version like this: NAS-Port-Type = Virtual User-Name = test Calling-Station-Id = 192.168.*** User-Password = \\342\455\325]̍\322\tM~\237\616}\266\426 Service-Type = Login-User In the ldap database I tried all of the encription type (clear, md5, crypt, md5crypt) but every time reject the authentication: frad debug: Failed to authenticate the user. Login incorrect (rlm_ldap: Bind as user failed): [test/\\_\266\065]�?\663\tM~\667\354}\126\316] (from client switch port 1 cli 192.168.*** WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! What can I do in the freeradius, what I forgot? Thanks! Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry this was my fault the shared secret really was not the same. ty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MD5 password encryption problem
Hello all,
I have searched the mailing list archived and have failed to find a solution
to my particular problem.
I am trying to switch the entries in our users file from Unix crypt to MD5
encryption. My entry in the users file looks like this:
mikelampson Auth-Type := PAP, Crypt-Password ==
cc03e747a6afbbcbf8be7668acfebee5
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Framed-Compression = Van-Jacobson-TCP-IP
The above Crypt-Password is for the string test123 and was generated by
using the md5_hex function from the Digest::MD5 Perl library.
The top portion of the authenticate section of radiusd.conf is as follows:
Auth-Type PAP {
pap
}
And the pap section looks like this:
# PAP module to authenticate users based on their stored password
#
# Supports multiple encryption schemes
# clear: Clear text
# crypt: Unix crypt
#md5: MD5 ecnryption
# sha1: SHA1 encryption.
# DEFAULT: crypt
pap {
#encryption_scheme = crypt
encryption_scheme = md5
}
And finally the relevant lines when running radiusd -X is as follows:
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:3091, id=26,
length=51
User-Name = mikelampson
User-Password = test123
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
rlm_realm: No '@' in User-Name = mikelampson, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 1
users: Matched mikelampson at 129
modcall[authorize]: module files returns ok for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type PAP
auth: type Crypt
auth: Failed to validate the user.
I am using NTRadPing to generate the request.
Any suggestions appreciated.
Thanks,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
