Search code examples
phpencryptionradiusfreeradius

CHAP Password decrypt - Freeradius

I'm using Freeradius to authenticate user from my server using php code 

update control {
    Reply-Message := `/usr/bin/php -f /etc/raddb/auth.php '%{User-Name}' '%{CHAP-Password}' '%{CHAP-Challenge}' auth`
}

it return CHAP-Password = 0xa2a421bf267fbffabe5696cf1c6d54f479

and the CHAP-password is Hashing, but i don't have clear text password in database, the password is hashed .

It is working fine with PAP Protocol, but i need to use CHAP for other server configuration

So my question: is there anyway to decrypt the CHAP-Password , or if this is not possible to tell CHAP not to hashing the password in configuration

Solution

  • After searching for many and many hours I finally make chap authenticate with my database:

    First: I'm working on freeradius 3, because there are many changes form radius 2 and radius 3

    Second: Database Configuration

    I'm using mysql with 2 Databases like this:

    1. members

      • users
        • id
        • username
        • password
        • .......
        • .......
      • ........

    2. radius

      • radcheck
        • id
        • username
        • attribute
        • op
        • value
      • radpostauth
      • ......

    You need to configure sql file in this root

    sudo nano mods-available/sql

    And change this values

    driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
login = "your_database_username"
password = "your_database_password"

    Then save and restart the radius by:

    sudo service radiusd restart

    If radius restart without error, so the configuration is correct

    After restarting radius you need to copy this file to mods-enabled

    so radius run this configuration, because all files in mods-enabled is what radius running it

    sudo cp mods-available/sql mods-enabled/sql

    To check if everything running OK

    sudo radiusd -XC

    This command run debug on radius, and return errors .

    if the end of this debug is

    Configuration appears to be OK

    so everything is fine until now

    Third: Database Connection and Authenticate

    Now we need to authenticate the username via CHAP , so we need to write query to select the username from user table

    This query will be in this file queries.conf in this root

    sudo nano mods-config/sql/main/mysql/queries.conf

    And change the authorize_check_query to

    authorize_check_query = "\
    SELECT members.user.id as id, \
    members.user.username as username, \
    'Cleartext-Password' as attribute, \
    members.user.password as value, \
    ':=' as op \
FROM members.user \
WHERE members.user.username = '%{SQL-User-Name}' \
ORDER BY members.user.id"

    FYI , the password must be in plain text, because as you see the attribute is Cleartext-Password

    Now let's add in table user row with username = "ahmed" and password = "test"

    and try to test authentication

    radtest -t chap ahmed test localhost 1812 testing123

    if you receive

    Received Access-Accept Id 105 from 127.0.0.1:1812 to 127.0.0.1:38259 length 20

    So you are Done,

    also i want to thanks @MatthewNewton for his answer and comments on my question :D