• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

User-Password NOT clear text?

General pfSense Questions
2
2
1.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    squidster
    last edited by Jul 3, 2013, 11:39 AM

    I have a "standard" setup:
    WiFi users coming from LAN going through pfSense to the WAN interface with a freeradius/MySQL backend.
    The problem is when I tried the authentication diagnostic, for the user "foo" with password "foo".
    freeradius show that the User-Password attribute is NOT the cleartext "foo"!

    rad_recv: Access-Request packet from host 10.10.120.100 port 23084, id=195, length=66
    NAS-IP-Address = 10.10.120.100
    NAS-Identifier = "pfsense.pi1m.my"
    User-Name = "foo"
    User-Password = ""\365\304a8\277\266\324\374(&\030\005߁\271\243""

    Executing section authorize from file /etc/raddb/sites-enabled/default

    +- entering group authorize {…}
    ++[preprocess] returns ok

    I have another test-bed with AFAIK EXACTLY the same freeradius setup (the /etc/raddb is just copied over) with the following:

    rad_recv: Access-Request packet from host 10.25.1.10 port 9947, id=54, length=69
    NAS-IP-Address = 10.25.1.10
    NAS-Identifier = "pfsense.pi1m.my"
    User-Name = "foobar"
    User-Password = ""foo!bar!123""

    Executing section authorize from file /etc/raddb/sites-enabled/default

    +- entering group authorize {…}
    ++[preprocess] returns ok

    Why the heck 1 setup returns true cleartext password and the other one returns a garbled password?
    Note that the passwords are stored as MD5 hashes..

    mysql> select * from radcheck;
    +–--+----------+--------------+----+----------------------------------+
    | id | username | attribute    | op | value                            |
    +----+----------+--------------+----+----------------------------------+
    |  1 | da_admin | MD5-Password | := | 274264553b3807300ab3155d2f66d839 |
    |  2 | foobar  | MD5-Password | := | 8694477cb58e460c81d7a1922bc74068 |
    |  5 | wsx      | MD5-Password | := | af83f787e8911dea9b3bf677746ebac9 |
    +----+----------+--------------+----+----------------------------------+

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jul 3, 2013, 12:40 PM

      Not enough of the exchange to really tell from that, but probably a difference such as PAP vs CHAP or other settings in the RADIUS server that govern what it claims to support.

      It could also be a difference in the compile-time options given to freeradius and not in the config file.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.