Reputation: 2530
CHAP Password decrypt - Freeradius
I'm using Freeradius to authenticate user from my server using php code
update control {
Reply-Message := `/usr/bin/php -f /etc/raddb/auth.php '%{User-Name}' '%{CHAP-Password}' '%{CHAP-Challenge}' auth`
}
it return CHAP-Password = 0xa2a421bf267fbffabe5696cf1c6d54f479
and the CHAP-password is Hashing, but i don't have clear text password in database, the password is hashed .
It is working fine with PAP Protocol, but i need to use CHAP for other server configuration
So my question: is there anyway to decrypt the CHAP-Password , or if this is not possible to tell CHAP not to hashing the password in configuration
Upvotes: 0
Views: 11285
Answers (2)
Reputation: 2530
After searching for many and many hours I finally make chap authenticate with my database:
First: I'm working on freeradius 3, because there are many changes form radius 2 and radius 3
Second: Database Configuration
I'm using mysql with 2 Databases like this:
members
- users
- id
- username
- password
- .......
- .......
- ........
- users
radius
- radcheck
- id
- username
- attribute
- op
- value
- radpostauth
- ......
- radcheck
You need to configure sql file in this root
sudo nano mods-available/sql
And change this values
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
login = "your_database_username"
password = "your_database_password"
Then save and restart the radius by:
sudo service radiusd restart
If radius restart without error, so the configuration is correct
After restarting radius you need to copy this file to mods-enabled
so radius run this configuration, because all files in mods-enabled is what radius running it
sudo cp mods-available/sql mods-enabled/sql
To check if everything running OK
sudo radiusd -XC
This command run debug on radius, and return errors .
if the end of this debug is
Configuration appears to be OK
so everything is fine until now
Third: Database Connection and Authenticate
Now we need to authenticate the username via CHAP , so we need to write query to select the username from user table
This query will be in this file queries.conf in this root
sudo nano mods-config/sql/main/mysql/queries.conf
And change the authorize_check_query to
authorize_check_query = "\
SELECT members.user.id as id, \
members.user.username as username, \
'Cleartext-Password' as attribute, \
members.user.password as value, \
':=' as op \
FROM members.user \
WHERE members.user.username = '%{SQL-User-Name}' \
ORDER BY members.user.id"
FYI , the password must be in plain text, because as you see the attribute is Cleartext-Password
Now let's add in table user row with username = "ahmed" and password = "test"
and try to test authentication
radtest -t chap ahmed test localhost 1812 testing123
if you receive
Received Access-Accept Id 105 from 127.0.0.1:1812 to 127.0.0.1:38259 length 20
So you are Done,
also i want to thanks @MatthewNewton for his answer and comments on my question :D
Upvotes: 1
Reputation: 655
CHAP is challenge-response. The hex you see is not an encrypted password and there is no way to "decrypt" it to get a plain-text password.
With PAP you can have an encrypted password on the server, or plaintext. You are sent a plaintext password which you can test.
With CHAP you need the plaintext password on the server to check that the response to the challenge is correct.
So you can't do what you want to do in the current form.
Upvotes: 1
Related Questions
- How to make freeradius authenticate with CHAP instead with PAP
- Freeradius + Active Directory + Google Authenticator
- Failed to authenticate to the freeradius server with added user
- Freeradius users operators
- Authentication error in freeradius server
- Use two Auth-Type PAP and EAP with FreeRadius
- FreeRadius + PHP Configuration