Community discussions

MikroTik App
 
ngaleyev
newbie
Topic Author
Posts: 33
Joined: Sat Sep 29, 2007 4:48 pm

winbox login - RADIUS PAP vs CHAP

Tue Jul 22, 2008 10:44 pm

Hello,
I'm trying to setup freeradius authentication for logins through winbox, ssh, etc
My passwords are in md5 format in mysql database, i was able to set up PAP with MD5 in freeradius. It works from command line of my linux machine ( radtest nick 1234 192.168.0.58 1812 testing123), but when i try to use winbox, i get this debug output:

rlm_pap: Attribute "Password" is required for authentication. Cannot use "CHAP-Password".

Is there any way to force login through PAP instead of CHAP

p.s. i'm a total noob to radius, so if i misenterpreted something - please correct me
Last edited by ngaleyev on Tue Jul 22, 2008 10:58 pm, edited 2 times in total.
 
ngaleyev
newbie
Topic Author
Posts: 33
Joined: Sat Sep 29, 2007 4:48 pm

Re: winbox login - RADIUS PAP vs CHAP

Tue Jul 22, 2008 10:46 pm

or, as alternative - how to make freeradius use CHAP with MD5 hashing?
 
ngaleyev
newbie
Topic Author
Posts: 33
Joined: Sat Sep 29, 2007 4:48 pm

Re: winbox login - RADIUS PAP vs CHAP

Tue Jul 22, 2008 11:10 pm

I can change Auth-Type to CHAP in radius mysql table, but i loose ability to use MD5 as i understand
 
daiceman
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Tue Mar 01, 2005 9:43 pm

Re: winbox login - RADIUS PAP vs CHAP

Tue Aug 05, 2008 8:20 pm

BUMP
 
User avatar
fatonk
Member
Member
Posts: 438
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Re: winbox login - RADIUS PAP vs CHAP

Wed Aug 06, 2008 4:44 pm

PAP authentication is a clear text, so that is why you have an option to add MD5 at your radius mysql table to encrypt the unencrypted password, but in CHAP the password is already encrypted and uses MD5 by default, and you cannot force it to use or not encryption in CHAP it just does by default.

regards

Faton
 
ngaleyev
newbie
Topic Author
Posts: 33
Joined: Sat Sep 29, 2007 4:48 pm

Re: winbox login - RADIUS PAP vs CHAP

Wed Aug 06, 2008 10:35 pm

I found the same conclusion on the internet.
However, my thought on CHAP and RADIUS (just a theory):
There is a chap module in radius. I looked at the source code, and looks to me like there is a simple comparison to the database after handshake. I was wondering is it's possible to insert md5 conversion right before the comparison to database. So CHAP will think that md5 hash is an clear-text password. Tried to implement it, but all md5 hash functions I found are written in c++, while chap module is written in plain c. I couldn't figure that out.
 
truekonrads
just joined
Posts: 3
Joined: Fri Jun 18, 2010 10:34 am

Re: winbox login - RADIUS PAP vs CHAP

Fri Jun 18, 2010 1:40 pm

BUMP!
I have same issue. Can we force Winbox to do PAP instead of CHAP?
 
BYost
just joined
Posts: 1
Joined: Wed Oct 06, 2010 7:07 pm

Re: winbox login - RADIUS PAP vs CHAP

Wed Oct 06, 2010 7:12 pm

I would like to add my name to the list of people who would like an option to use PAP for system logins in stead of CHAP. Our central AAA stores its passwords encrypted, and we want to integrate the Mikrotiks we have with this system. RouterOS forcing CHAP means maintaining a seperate list of cleartext login/password information, and since we have a growing number of "islands" like this, it would be better if we could integrate it with our existing system.
 
tonyd
newbie
Posts: 49
Joined: Fri Jul 20, 2012 3:31 pm

Re: winbox login - RADIUS PAP vs CHAP

Tue Aug 27, 2013 5:14 pm

BUMP...

Has there been any movement toward addressing this issue? I too do not want to maintain a user list of clear text passwords, this is counter to any good security policy.

Thank you,

td
 
alex1
just joined
Posts: 24
Joined: Sun Jun 04, 2017 9:37 pm

Re: winbox login - RADIUS PAP vs CHAP

Mon Nov 13, 2017 11:19 am

Folks,

+1 here.
Almost 10 years passed and it's still an issue. Why not to introduce an option to use PAP for Winbox?
Thank you!

Similar thread is here - PAP for Winbox Radius Logins.
 
User avatar
CCIS
just joined
Posts: 11
Joined: Wed May 28, 2008 2:04 am
Location: B.C. Canada

Re: winbox login - RADIUS PAP vs CHAP

Mon Aug 13, 2018 11:42 am

Another +1 here
 
sirmatt
just joined
Posts: 1
Joined: Wed Jul 25, 2018 6:48 pm

Re: winbox login - RADIUS PAP vs CHAP

Thu Aug 23, 2018 9:06 pm

+1 here
 
User avatar
fabricat
just joined
Posts: 1
Joined: Tue Aug 28, 2018 11:13 am

Re: winbox login - RADIUS PAP vs CHAP

Tue Aug 28, 2018 1:20 pm

+1 for me too

Given that few users would/could store their passwords in clear text, I believe that the user should be given an option to choose the authentication type (CHAP, PAP, MSCHAP, etc.).
As things are now, many users are forced to use local, static (and probably shared) credentials :(
 
smirre
just joined
Posts: 12
Joined: Thu Feb 16, 2006 3:12 pm

Re: winbox login - RADIUS PAP vs CHAP

Wed Aug 31, 2022 9:17 am

+1.....
 
mingalsuo
just joined
Posts: 1
Joined: Mon Jan 23, 2023 6:16 pm

Re: winbox login - RADIUS PAP vs CHAP

Mon Jan 23, 2023 6:41 pm

Hi!

I also hit this one. I was setting up FreeRADIUS to use OpenLDAP as it's back-end in my homelab, for login AAA, but since there is no way to tell the RouterOS RADIUS-client that it should use PAP, there's no way to get 100% centralised password management across the entire domain. Everything else speaks PAP with RADIUS or LDAP but RouterOS does not.

So, pretty please, with a cherry on top, can we have PAP for the login service or even outright LDAP?

+1 :-?
 
BrunoBlanes
just joined
Posts: 1
Joined: Fri Feb 03, 2023 5:52 pm

Re: winbox login - RADIUS PAP vs CHAP

Fri Feb 03, 2023 5:53 pm

What are the available workarounds? I'd like to use FreeRadius + OpenLDAP without a Microsoft AD.

Who is online

Users browsing this forum: archemist, GoogleOther [Bot], tangent and 59 guests