Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    User-Password NOT clear text?

    General pfSense Questions
    2
    2
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      squidster
      last edited by

      I have a "standard" setup:
      WiFi users coming from LAN going through pfSense to the WAN interface with a freeradius/MySQL backend.
      The problem is when I tried the authentication diagnostic, for the user "foo" with password "foo".
      freeradius show that the User-Password attribute is NOT the cleartext "foo"!

      rad_recv: Access-Request packet from host 10.10.120.100 port 23084, id=195, length=66
      NAS-IP-Address = 10.10.120.100
      NAS-Identifier = "pfsense.pi1m.my"
      User-Name = "foo"
      User-Password = ""\365\304a8\277\266\324\374(&\030\005߁\271\243""

      Executing section authorize from file /etc/raddb/sites-enabled/default

      +- entering group authorize {…}
      ++[preprocess] returns ok

      I have another test-bed with AFAIK EXACTLY the same freeradius setup (the /etc/raddb is just copied over) with the following:

      rad_recv: Access-Request packet from host 10.25.1.10 port 9947, id=54, length=69
      NAS-IP-Address = 10.25.1.10
      NAS-Identifier = "pfsense.pi1m.my"
      User-Name = "foobar"
      User-Password = ""foo!bar!123""

      Executing section authorize from file /etc/raddb/sites-enabled/default

      +- entering group authorize {…}
      ++[preprocess] returns ok

      Why the heck 1 setup returns true cleartext password and the other one returns a garbled password?
      Note that the passwords are stored as MD5 hashes..

      mysql> select * from radcheck;
      +–--+----------+--------------+----+----------------------------------+
      | id | username | attribute    | op | value                            |
      +----+----------+--------------+----+----------------------------------+
      |  1 | da_admin | MD5-Password | := | 274264553b3807300ab3155d2f66d839 |
      |  2 | foobar  | MD5-Password | := | 8694477cb58e460c81d7a1922bc74068 |
      |  5 | wsx      | MD5-Password | := | af83f787e8911dea9b3bf677746ebac9 |
      +----+----------+--------------+----+----------------------------------+

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Not enough of the exchange to really tell from that, but probably a difference such as PAP vs CHAP or other settings in the RADIUS server that govern what it claims to support.

        It could also be a difference in the compile-time options given to freeradius and not in the config file.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.