freeradius login users. cleartext passwords

luqasz · December 19, 2011, 3:21pm

hi

i have noticed that if i have password stored in database in md5 or sha user can not use/authenticate using:

bandwidth test
winbox
mac-telnet
things taht only work are:
telnet
ssh
ftp

if i have password in clear text format all above works

freeradius -X returns:

without clear text login via winbox/mac-telnet/bw test:

++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "*****" with CHAP password
[chap] Cleartext-Password is required for authentication

with sha or md5 password login via ssh/telnet:

++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing SHA-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "*******"
[pap] Using SHA1 encryption.
[pap] User authenticated successfully
++[pap] returns ok

luqasz · December 19, 2011, 8:03pm

i have found that when logging via ssh/telnet mikrotik sends password in clear text. when logging via winbox/mac-telnet/bw-test mikrotik sens password in chap-password format. it is now obvious why radius fails to “transform” chap password into sha-password.

i am asking why it is different in winbox/mac-telnet/bw-test ?

Turbid · June 19, 2014, 11:44am

I confirm this problem. Is there any description of the cause?

Also the same case: http://forum.mikrotik.com/t/router-user-via-radius-server/42590/1

kgblaster · September 16, 2016, 10:14pm

Any solution for this problem? I’m facing the same thing here.

total13 · August 4, 2017, 12:59pm

Same problem here, any solution?

mehdisadighian · October 2, 2017, 9:52am

HI
I had the same problem before, my problem solved by moving some lines in /usr/local/etc/raddb/sites-enabled/default
i’m using SQL so i load SQL module and pap,chap

I’ve changed the lines from

chap
sql
pap

to:

sql
pap
chap

so freeradius first loads the sql and then loads the chap, so it could locate password in SQL.

jkliachev · November 22, 2018, 7:58pm

I have the same issue. If user has configured password in database with attribute “Cleartext-Password” everything is fine but I would like to know what other attribute and hash should put to store so all password are encrypted and winbox/ssh/telnet to works. In this days is very very unacceptable to store whatever password in clear text format. In our company we have a lot of mikrotik routers and would like to have centralized user control with freeradius server. I have read that latest versions of Winbox supports PAP as authentication mechanism but I didn’t managed to find any information how to configure.

I would really highly appreciate if someone help us with the config. Thanks in advance.

kdavid · January 6, 2019, 7:51pm

Hi my MK version is 6.43.8. Have you any idea how to solve it? Probabli i neet to tine the eadius config file via ssh on synology right?