mikrotik & freeradius with crypted password

using freeradius & ROS 6.38.5
If freeradius to use Cleartext-Password, I can connect through winbox and ssh. If you use encrypted passwords, such as SHA1-Password via winbox can’t connect, but connects via ssh without problems. How do I connect via winbox if you are using encrypted passwords?
support@mikrotik.com not answer


Error via Winbox

10:47:22 system,info,account user papa logged out from 192.168.77.99 via ssh 
10:47:22 radius,debug new request 0d:00 code=Accounting-Request service=login 
10:47:22 radius,debug sending 0d:00 to 172.20.250.2:1813 
10:47:22 radius,debug,packet sending Accounting-Request with id 71 to 172.20.250.2:1813 
10:47:22 radius,debug,packet Signature = 0x97d0bc083012689cb579110e12af2102 
10:47:22 radius,debug,packet Service-Type = 1 
10:47:22 radius,debug,packet User-Name = "papa" 
10:47:22 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:47:22 radius,debug,packet Acct-Session-Time = 63 
10:47:22 radius,debug,packet Acct-Terminate-Cause = 1 
10:47:22 radius,debug,packet Acct-Status-Type = 2 
10:47:22 radius,debug,packet Acct-Session-Id = "8400000d" 
10:47:22 radius,debug,packet NAS-Identifier = "CCR" 
10:47:22 radius,debug,packet Acct-Delay-Time = 0 
10:47:22 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:47:22 radius,debug,packet received Accounting-Response with id 71 from 172.20.250.2:1813 
10:47:22 radius,debug,packet Signature = 0x6b542a6d794b742377a1ffe207e339ad 
10:47:22 radius,debug received reply for 0d:00 
10:47:22 radius,debug request 0d:00 processed 
10:47:42 radius,debug new request 0d:22 code=Access-Request service=login 
10:47:42 radius,debug sending 0d:22 to 172.20.250.2:1812 
10:47:42 radius,debug,packet sending Access-Request with id 72 to 172.20.250.2:1812 
10:47:42 radius,debug,packet Signature = 0x45fac00b5d4e534d4b736ab39fddc95e 
10:47:42 radius,debug,packet Service-Type = 1 
10:47:42 radius,debug,packet User-Name = "papa" 
10:47:42 radius,debug,packet CHAP-Challenge = 0x1b3fcdc319cba1d4aaa4b1af2e0ff27f 
10:47:42 radius,debug,packet CHAP-Password = 0x000e960c7058c1ea7eb3384d9716ce52 
10:47:42 radius,debug,packet e4 
10:47:42 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:47:42 radius,debug,packet NAS-Identifier = "CCR" 
10:47:42 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:47:43 radius,debug resending 0d:22 
10:47:43 radius,debug,packet sending Access-Request with id 72 to 172.20.250.2:1812 
10:47:43 radius,debug,packet Signature = 0x45fac00b5d4e534d4b736ab39fddc95e 
10:47:43 radius,debug,packet Service-Type = 1 
10:47:43 radius,debug,packet User-Name = "papa" 
10:47:43 radius,debug,packet CHAP-Challenge = 0x1b3fcdc319cba1d4aaa4b1af2e0ff27f 
10:47:43 radius,debug,packet CHAP-Password = 0x000e960c7058c1ea7eb3384d9716ce52 
10:47:43 radius,debug,packet e4 
10:47:43 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:47:43 radius,debug,packet NAS-Identifier = "CCR" 
10:47:43 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:47:43 radius,debug resending 0d:22 
10:47:43 radius,debug,packet sending Access-Request with id 72 to 172.20.250.2:1812 
10:47:43 radius,debug,packet Signature = 0x45fac00b5d4e534d4b736ab39fddc95e 
10:47:43 radius,debug,packet Service-Type = 1 
10:47:43 radius,debug,packet User-Name = "papa" 
10:47:43 radius,debug,packet CHAP-Challenge = 0x1b3fcdc319cba1d4aaa4b1af2e0ff27f 
10:47:43 radius,debug,packet CHAP-Password = 0x000e960c7058c1ea7eb3384d9716ce52 
10:47:43 radius,debug,packet e4 
10:47:43 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:47:43 radius,debug,packet NAS-Identifier = "CCR" 
10:47:43 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:47:43 radius,debug timeout for 0d:22 
10:47:43 system,error,critical login failure for user papa from 192.168.77.99 via winbox

OK via ssh

10:49:14 radius,debug new request 0d:23 code=Access-Request service=login 
10:49:14 radius,debug sending 0d:23 to 172.20.250.2:1812 
10:49:14 radius,debug,packet sending Access-Request with id 73 to 172.20.250.2:1812 
10:49:14 radius,debug,packet Signature = 0xabbded08b28c8379cdd05343c6e0030b 
10:49:14 radius,debug,packet Service-Type = 1 
10:49:14 radius,debug,packet User-Name = "papa" 
10:49:14 radius,debug,packet User-Password = 0x 
10:49:14 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:49:14 radius,debug,packet NAS-Identifier = "CCR" 
10:49:14 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:49:15 radius,debug resending 0d:23 
10:49:15 radius,debug,packet sending Access-Request with id 73 to 172.20.250.2:1812 
10:49:15 radius,debug,packet Signature = 0xabbded08b28c8379cdd05343c6e0030b 
10:49:15 radius,debug,packet Service-Type = 1 
10:49:15 radius,debug,packet User-Name = "papa" 
10:49:15 radius,debug,packet User-Password = 0x 
10:49:15 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:49:15 radius,debug,packet NAS-Identifier = "CCR" 
10:49:15 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:49:15 radius,debug resending 0d:23 
10:49:15 radius,debug,packet sending Access-Request with id 73 to 172.20.250.2:1812 
10:49:15 radius,debug,packet Signature = 0xabbded08b28c8379cdd05343c6e0030b 
10:49:15 radius,debug,packet Service-Type = 1 
10:49:15 radius,debug,packet User-Name = "papa" 
10:49:15 radius,debug,packet User-Password = 0x 
10:49:15 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:49:15 radius,debug,packet NAS-Identifier = "CCR" 
10:49:15 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:49:15 radius,debug timeout for 0d:23 
10:49:18 radius,debug new request 0d:24 code=Access-Request service=login 
10:49:18 radius,debug sending 0d:24 to 172.20.250.2:1812 
10:49:18 radius,debug,packet sending Access-Request with id 74 to 172.20.250.2:1812 
10:49:18 radius,debug,packet Signature = 0x9b769a18b49ee4545424f3711186a82c 
10:49:18 radius,debug,packet Service-Type = 1 
10:49:18 radius,debug,packet User-Name = "papa" 
10:49:18 radius,debug,packet User-Password = 0x7061706132313239 
10:49:18 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:49:18 radius,debug,packet NAS-Identifier = "CCR" 
10:49:18 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:49:18 radius,debug,packet received Access-Accept with id 74 from 172.20.250.2:1812 
10:49:18 radius,debug,packet Signature = 0xfa7ada25491f4c0d8c0a9be656b1192d 
10:49:18 radius,debug,packet MT-Group = "full" 
10:49:18 radius,debug received reply for 0d:24 
10:49:18 system,info,account user papa logged in from 192.168.77.99 via ssh 
10:49:18 radius,debug new request 0d:00 code=Accounting-Request service=login 
10:49:18 radius,debug sending 0d:00 to 172.20.250.2:1813 
10:49:18 radius,debug,packet sending Accounting-Request with id 75 to 172.20.250.2:1813 
10:49:18 radius,debug,packet Signature = 0xc8ca10de0e980507708b4e22032d3d24 
10:49:18 radius,debug,packet Service-Type = 1 
10:49:18 radius,debug,packet User-Name = "papa" 
10:49:18 radius,debug,packet Calling-Station-Id = "192.168.77.99" 
10:49:18 radius,debug,packet Acct-Status-Type = 1 
10:49:18 radius,debug,packet Acct-Session-Id = "8400000f" 
10:49:18 radius,debug,packet NAS-Identifier = "CCR" 
10:49:18 radius,debug,packet Acct-Delay-Time = 0 
10:49:18 radius,debug,packet NAS-IP-Address = 172.20.250.3 
10:49:18 radius,debug,packet received Accounting-Response with id 75 from 172.20.250.2:1813 
10:49:18 radius,debug,packet Signature = 0xfb9cf2683d93db705071ef735410cbdb 
10:49:18 radius,debug received reply for 0d:00 
10:49:18 radius,debug request 0d:00 processe

SSH uses PAP authentication, winbox uses CHAP authentication.

CHAP requires passwords to be in clear text format, that’s how CHAP works unfortunately.

Strange, freeradius in both cases, allow login (radtest show Received Access-Accept), it turns out Mikrotik does not properly handle a response from a radius.
Any ideas how to get around not to store the password in the cleartext?

Also the same case: http://forum.mikrotik.com/t/freeradius-login-users-cleartext-passwords/52727/1