How do i calculate the encrypted password value of Access-Request RADIUS packet

Question

I am struggling with getting back the password plaintext I used in the FreeRadius setup

Following attributes are what I have got from my pcap file:

Plaintext password = "cisco123"
sharedkey = "sharedsecret"
Ciphertext password = "6ed3a35440abe69b2e8698109b809932" <-- plaintext password is cisco123
authenticator = "344c71c77a2b845b8856ffa968740b73"

So based on the research @http://www.untruth.org/~josh/security/radius/radius-auth.html the steps of deriving the encryped password under Section 2.1 is performed below to my understanding:

Concatenate the sharedkey and authenticator and store in a variable:

SharedKey + Authenticator:  sharedsecret344c71c77a2b845b8856ffa968740b73

MD5 hash the concatenated values :

Md5(SharedKey+Authenticator):  46608024c8f48fd0977bb944ae0eb89a

XOR the plaintext password with the MD5 concatentation result and the result should match the ciphertext

cisco12300000000 XOR 46608024c8f48fd0977bb944ae0eb89a

See below for my debugging results from my code (note my c1 is suppose to match Captured Ciphertext but it isnt ):

Shared Key:  sharedsecret
Authenticator:  344c71c77a2b845b8856ffa968740b73
SharedKey + Authenticator:  sharedsecret344c71c77a2b845b8856ffa968740b73
Md5(SharedKey+Authenticator):  46608024c8f48fd0977bb944ae0eb89a
p1(ascii):  cisco123
p1(hex):  636973636f3132330000000000000000
b1:  46608024c8f48fd0977bb944ae0eb89a
c1(p1 XOR b1):  2509f347a7c5bde3977bb944ae0eb89a
Captured Ciphertext  6ed3a35440abe69b2e8698109b809932

Can I clarify if my step was wrong ?

Answer 1

Radius password was encrypted with Auth-Type.
It depends on your Auth-Type. If it was set to CHAP, password was encrypted with CHAP method. For me,I can not decrypted it.

You may need to set Auth-Type as PAP for plaintext password.