Community discussions

MikroTik App
 
prabhatravi
just joined
Topic Author
Posts: 5
Joined: Tue Jan 25, 2022 8:37 am

Support of radius mac auth with username and password

Tue Jan 25, 2022 8:53 am

Hi,

I am trying to implement radius client-side code for mac auth with Mikrotik's radius server. As I know till now Mikrotik doesn't support PAP passwords with Mac auth, so trying to implement a CHAP password.
Need little information related to this, which can help me in implementing the same.
How Mirkrotik radius server decrypt chap password radius attribute coming in radius access-request without chap-challenge radius attribute? So, that we can encrypt in a similar way in radius client side.
We tried the following but end up "invalid password" from the radius server.
1. putting client mac address in radius chap password radius attribute.
2. putting md5 hash value of client mac address in radius chap password radius attribute.
3. creating md5 hash from radius message authenticator, id, client mac and putting the same in radius chap password radius attribute.

Please help me understand the same.
Thanks,
 
prabhatravi
just joined
Topic Author
Posts: 5
Joined: Tue Jan 25, 2022 8:37 am

Re: Support of radius mac auth with username and password

Sat Jan 29, 2022 6:57 am

Can anyone from the Mikrotik developer team will me to understand this?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Support of radius mac auth with username and password

Sat Jan 29, 2022 12:46 pm

I would recommend to use a better radius server: freeradius. It can do what you want. Of course you need a separate machine.
Otherwise, you can look at the new usermanager in RouterOS v7. But do not blindly upgrade your router to v7! First evaluate it on a test device.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Support of radius mac auth with username and password

Sat Jan 29, 2022 1:10 pm

This is a user forum, not direct support from Mikrotik.

It is not clear exactly what you are trying to achieve - writing your own RADIUS client to authenticate against User Manager?

How Mirkrotik radius server decrypt chap password radius attribute coming in radius access-request without chap-challenge radius attribute?
No RADIUS server can, you have to send User-Name, CHAP-Password and CHAP-Challenge attributes in an Access-Request message. The server looks up the plaintext secret (the password) for User-Name, computes MD5(User-Name||secret||CHAP-Challenge) and compares this with CHAP-Password.
 
prabhatravi
just joined
Topic Author
Posts: 5
Joined: Tue Jan 25, 2022 8:37 am

Re: Support of radius mac auth with username and password

Mon Jan 31, 2022 9:04 am

It is not clear exactly what you are trying to achieve - writing your own RADIUS client to authenticate against User Manager?
We were using hostapd, where it was sending encrypted user-password for mac with delimiter in USER-PASSWORD radius attribute, which was not working with Mikrotik User Manager. But I think User Manager support only CHAP-password, so needed to know how Mikrotik create a hash to compare it with CHAP-Password coming in radius access-request packet.

No RADIUS server can, you have to send User-Name, CHAP-Password and CHAP-Challenge attributes in an Access-Request message. The server looks up the plaintext secret (the password) for User-Name, computes MD5(User-Name||secret||CHAP-Challenge) and compares this with CHAP-Password.
Thanks for letting me know.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Support of radius mac auth with username and password

Mon Jan 31, 2022 1:35 pm

We were using hostapd, where it was sending encrypted user-password for mac with delimiter in USER-PASSWORD radius attribute, which was not working with Mikrotik User Manager. But I think User Manager support only CHAP-password, so needed to know how Mikrotik create a hash to compare it with CHAP-Password coming in radius access-request packet.
User-Password is plaintext encrypted in transmission between the RADIUS client and server https://datatracker.ietf.org/doc/html/r ... ection-5.2, if you have a mismatch of the RADIUS secret the server will decode the password incorrectly and then fail to authenticate due to it not matching. It is not the same as CHAP-Password.

I'm not aware of usermanager only permitting CHAP, are you sure the username and password you are entering in usermanager match those being sent. Vendors use differing formats for the usename and password including XX:XX:XX:XX:XX:XX, XX-XX-XX-XX-XX-XX, XXXXXXXXXXXX plus the lower-case variants, and occasionally XXXXXX-XXXXXX.
 
prabhatravi
just joined
Topic Author
Posts: 5
Joined: Tue Jan 25, 2022 8:37 am

Re: Support of radius mac auth with username and password

Tue Feb 01, 2022 2:25 pm


I'm not aware of usermanager only permitting CHAP, are you sure the username and password you are entering in usermanager match those being sent. Vendors use differing formats for the usename and password including XX:XX:XX:XX:XX:XX, XX-XX-XX-XX-XX-XX, XXXXXXXXXXXX plus the lower-case variants, and occasionally XXXXXX-XXXXXX.
Thanks a lot for giving these details.

Who is online

Users browsing this forum: wojtag and 35 guests