Page 1 of 1

winbox login - RADIUS PAP vs CHAP

Posted: Tue Jul 22, 2008 10:44 pm
by ngaleyev
Hello,
I'm trying to setup freeradius authentication for logins through winbox, ssh, etc
My passwords are in md5 format in mysql database, i was able to set up PAP with MD5 in freeradius. It works from command line of my linux machine ( radtest nick 1234 192.168.0.58 1812 testing123), but when i try to use winbox, i get this debug output:

rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password".

Is there any way to force login through PAP instead of CHAP

p.s. i'm a total noob to radius, so if i misenterpreted something - please correct me

Re: winbox login - RADIUS PAP vs CHAP

Posted: Tue Jul 22, 2008 10:46 pm
by ngaleyev
or, as alternative - how to make freeradius use CHAP with MD5 hashing?

Re: winbox login - RADIUS PAP vs CHAP

Posted: Tue Jul 22, 2008 11:10 pm
by ngaleyev
I can change Auth-Type to CHAP in radius mysql table, but i loose ability to use MD5 as i understand

Re: winbox login - RADIUS PAP vs CHAP

Posted: Tue Aug 05, 2008 8:20 pm
by daiceman
BUMP

Re: winbox login - RADIUS PAP vs CHAP

Posted: Wed Aug 06, 2008 4:44 pm
by fatonk
PAP authentication is a clear text, so that is why you have an option to add MD5 at your radius mysql table to encrypt the unencrypted password, but in CHAP the password is already encrypted and uses MD5 by default, and you cannot force it to use or not encryption in CHAP it just does by default.

regards

Faton

Re: winbox login - RADIUS PAP vs CHAP

Posted: Wed Aug 06, 2008 10:35 pm
by ngaleyev
I found the same conclusion on the internet.
However, my thought on CHAP and RADIUS (just a theory):
There is a chap module in radius. I looked at the source code, and looks to me like there is a simple comparison to the database after handshake. I was wondering is it's possible to insert md5 conversion right before the comparison to database. So CHAP will think that md5 hash is an clear-text password. Tried to implement it, but all md5 hash functions I found are written in c++, while chap module is written in plain c. I couldn't figure that out.

Re: winbox login - RADIUS PAP vs CHAP

Posted: Fri Jun 18, 2010 1:40 pm
by truekonrads
BUMP!
I have same issue. Can we force Winbox to do PAP instead of CHAP?

Re: winbox login - RADIUS PAP vs CHAP

Posted: Wed Oct 06, 2010 7:12 pm
by BYost
I would like to add my name to the list of people who would like an option to use PAP for system logins in stead of CHAP. Our central AAA stores its passwords encrypted, and we want to integrate the Mikrotiks we have with this system. RouterOS forcing CHAP means maintaining a seperate list of cleartext login/password information, and since we have a growing number of "islands" like this, it would be better if we could integrate it with our existing system.

Re: winbox login - RADIUS PAP vs CHAP

Posted: Tue Aug 27, 2013 5:14 pm
by tonyd
BUMP...

Has there been any movement toward addressing this issue? I too do not want to maintain a user list of clear text passwords, this is counter to any good security policy.

Thank you,

td

Re: winbox login - RADIUS PAP vs CHAP

Posted: Mon Nov 13, 2017 11:19 am
by alex1
Folks,

+1 here.
Almost 10 years passed and it's still an issue. Why not to introduce an option to use PAP for Winbox?
Thank you!

Similar thread is here - PAP for Winbox Radius Logins.

Re: winbox login - RADIUS PAP vs CHAP

Posted: Mon Aug 13, 2018 11:42 am
by CCIS
Another +1 here

Re: winbox login - RADIUS PAP vs CHAP

Posted: Thu Aug 23, 2018 9:06 pm
by sirmatt
+1 here

Re: winbox login - RADIUS PAP vs CHAP

Posted: Tue Aug 28, 2018 1:20 pm
by fabricat
+1 for me too

Given that few users would/could store their passwords in clear text, I believe that the user should be given an option to choose the authentication type (CHAP, PAP, MSCHAP, etc.).
As things are now, many users are forced to use local, static (and probably shared) credentials :(