Using encrypted password instead of Clear text password
I am trying to set up a hotspot system using CoovaChilli and FreeRadius with RADIUSdesk.
I have done the most part of it. The Captive portal login page is displayed but I can't authenticate as a user.
When I looked into the logs, Coova Chilli on my OpenWRT sent X????MVJ??? ??<? as the User-Password.
redir.c: 3854: 0 (Debug) redir_accept: Sending RADIUS request
radius.c: 1316: 0 (Debug) RADIUS client 0.0.0.0:0
redir.c: 2670: 0 (Debug) created radius packet (code=1, id=80, len=37)
redir.c: 2708: 0 (Debug) User password 16 [O��F��hs�
t��3]
redir.c: 2831: 0 (Debug) sending radius packet (code=1, id=80, len=299)
radius.c: 321: 0 (Debug) Allocating RADIUS packet
I looked into the freeradius logs too and got to know that Freeradius decrypted the original password.
(0) pl_reset_time_for_data: $RAD_REQUEST{'User-Password'} = &request:User-Password -> 'X????MVJ??? ??<?'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-IP-Address'} = &request:NAS-IP-Address -> '10.1.0.1'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port'} = &request:NAS-Port -> '5'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Service-Type'} = &request:Service-Type -> 'Login-User'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Framed-IP-Address'} = &request:Framed-IP-Address -> '10.1.0.4'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Called-Station-Id'} = &request:Called-Station-Id -> 'C0-25-E9-07-52-76'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Calling-Station-Id'} = &request:Calling-Station-Id -> 'AC-C3-3A-C0-F5-60'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Identifier'} = &request:NAS-Identifier -> 'HUBS_ROOTS_HUB_1_cp_42'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port-Type'} = &request:NAS-Port-Type -> 'Wireless-802.11'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Acct-Session-Id'} = &request:Acct-Session-Id -> '5a6c2ea800000005'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Event-Timestamp'} = &request:Event-Timestamp -> 'Jan 27 2018 07:49:15 UTC'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Message-Authenticator'} = &request:Message-Authenticator -> '0x3a3eb994b712e98f3a49e665e27e4d20'
(0) pl_reset_time_for_data: $RAD_REQUEST{'NAS-Port-Id'} = &request:NAS-Port-Id -> '00000005'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Location-ID'} = &request:WISPr-Location-ID -> 'isocc=,cc=,ac=,network=Coova,'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Location-Name'} = &request:WISPr-Location-Name -> 'Roots_Daryaganj'
(0) pl_reset_time_for_data: $RAD_REQUEST{'WISPr-Logoff-URL'} = &request:WISPr-Logoff-URL -> 'http://10.1.0.1:3990/logoff'
(0) pl_reset_time_for_data: $RAD_REQUEST{'Realm'} = &request:Realm -> 'roots'
(0) pl_reset_time_for_data: $RAD_REQUEST{'ChilliSpot-Version'} = &request:ChilliSpot-Version -> '1.3.1-svn'
(0) pl_reset_time_for_data: $RAD_REPLY{'Fall-Through'} = &reply:Fall-Through -> 'Yes'
(0) pl_reset_time_for_data: $RAD_CHECK{'User-Profile'} = &control:User-Profile -> '1G-1Day'
(0) pl_reset_time_for_data: $RAD_CHECK{'Cleartext-Password'} = &control:Cleartext-Password -> '<my cleartext password>'
But, when comparing, the server is using the encrypted password instead of the cleartext one.
# Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: ERROR: Cleartext password "X????MVJ??? ??<?" does not match "known good" password
(0) pap: Passwords don't match
(0) [pap] = reject
(0) } # Auth-Type PAP = reject
(0) Failed to authenticate the user
(0) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/sites-enabled/radiusdesk-plain
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
Answer
In RADIUS the User-Password attribute is reversibly encrypted using a shared secret known between the NAS (Coova) and the RADIUS server FreeRADIUS.
My guess is that Coova is displaying the output of this encryption function instead of the original cleartext password. Which is odd... It could be doing that for security reasons so that you need to know the shared secret to decrypt passwords in the logs.
As for why you still get encrypted output, it seems likely that the shared secret is incorrect either in Coova or FreeRADIUS. The default secret for requests coming from 127.0.0.1 is testing123, so if Coova and FreeRADIUS are colocated, I'd try configuring that in Coova.
If Coova and FreeRADIUS are running on different hosts, check the secret configured in raddb/clients.conf matches when you have in Coova.
The reason why the string changes each time, is because the ciphertext is created with a random component (the request authenticator field), which changes with each subsequent (non-retransmitted) request.