Hello,
I’m trying to setup freeradius authentication for logins through winbox, ssh, etc
My passwords are in md5 format in mysql database, i was able to set up PAP with MD5 in freeradius. It works from command line of my linux machine ( radtest nick 1234 192.168.0.58 1812 testing123), but when i try to use winbox, i get this debug output:
rlm_pap: Attribute “Password” is required for authentication. Cannot use “CHAP-Password”.
Is there any way to force login through PAP instead of CHAP
p.s. i’m a total noob to radius, so if i misenterpreted something - please correct me
PAP authentication is a clear text, so that is why you have an option to add MD5 at your radius mysql table to encrypt the unencrypted password, but in CHAP the password is already encrypted and uses MD5 by default, and you cannot force it to use or not encryption in CHAP it just does by default.
I found the same conclusion on the internet.
However, my thought on CHAP and RADIUS (just a theory):
There is a chap module in radius. I looked at the source code, and looks to me like there is a simple comparison to the database after handshake. I was wondering is it’s possible to insert md5 conversion right before the comparison to database. So CHAP will think that md5 hash is an clear-text password. Tried to implement it, but all md5 hash functions I found are written in c++, while chap module is written in plain c. I couldn’t figure that out.
I would like to add my name to the list of people who would like an option to use PAP for system logins in stead of CHAP. Our central AAA stores its passwords encrypted, and we want to integrate the Mikrotiks we have with this system. RouterOS forcing CHAP means maintaining a seperate list of cleartext login/password information, and since we have a growing number of “islands” like this, it would be better if we could integrate it with our existing system.
Has there been any movement toward addressing this issue? I too do not want to maintain a user list of clear text passwords, this is counter to any good security policy.
Given that few users would/could store their passwords in clear text, I believe that the user should be given an option to choose the authentication type (CHAP, PAP, MSCHAP, etc.).
As things are now, many users are forced to use local, static (and probably shared) credentials
I also hit this one. I was setting up FreeRADIUS to use OpenLDAP as it’s back-end in my homelab, for login AAA, but since there is no way to tell the RouterOS RADIUS-client that it should use PAP, there’s no way to get 100% centralised password management across the entire domain. Everything else speaks PAP with RADIUS or LDAP but RouterOS does not.
So, pretty please, with a cherry on top, can we have PAP for the login service or even outright LDAP?
