0

I am using freeradius v2.1.12 on Ubuntu v14.04. Here is /etc/freeradius/users:

test    SMD5-Password := "{SMD5}xbYqJDY4gqVyE8Vhty//QnRlc3RpbmcxMjM="

I get this value by using the perl script from http://www.openldap.org/faq/data/cache/418.html, I changed that script by replacing "secret" with "test" and "salt" with "testing123" because "test" is the my password and "testing123" is the shared secret.

Here is /etc/freeradius/clients.conf:

client test {
        ipaddr = 127.0.0.1
        secret = testing123
}

I also changed /etc/freeradius/modules/pap to set "auto_header" to "yes":

pap {
        auto_header = yes
}

I am using radtest on the same machine:

radtest -x -t pap test test localhost 0 testing123

The radius server fails the password match:

#> freeradius -X
......
[pap] login attempt with password "test"
[pap] Using SMD5 encryption.
[pap] Passwords don't match
++[pap] returns reject

Do you see what is wrong?

Thanks!

[UPDATE] Thanks Wumpus-Q-Wumbley, that is it. Remove "[SMD5]" and it works.

my_question
  • 111
  • 1
  • 1
  • 3
  • Wild guess: you should omit the `{SMD5}` prefix since the attribute name already has "SMD5" in it –  Feb 18 '18 at 03:16

1 Answers1

0

You've configured rlm_pap to search for a header but placed your hash in an attribute which is not checked for headers.

You should put your SMD5-Password in the Password-With-Header attribute, rlm_pap will then strip off the header and place the password in the correct attribute.

test    Password-With-Header := "{SMD5}xbYqJDY4gqVyE8Vhty//QnRlc3RpbmcxMjM="

Alternatively you can do what you did and remove the {SMD5} prefix.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18