An encrypted password. Passes only if the password sent in the
Access-Request matches the given encrypted password. Most types of
encrypted password only support PAP, not CHAP, MSCHAP or MSCHAPV2
authentication. Passwords encrypted with NT Hashed passwords can support
PAP, MSCHAP and MSCHAPV2 authentication.
Encrypted-Password
understands a number of encrypted formats: SHA, MD5, MD5 Mime, DEC Hashed
passwords, NT Hashed passwords and standard Unix crypt. All the following
match the plaintext password "fred":
Encrypted-Password = "{SHA}k1qAjger6rE9fhCrig+QPZ/HTrJhYWE="
Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
# This next one is also crypt:
Encrypted-Password = "1xMKc0GIVUNbE"
Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
Encrypted-Password = "1xMKc0GIVUNbE"
Encrypted-Password = "{MD5}qP0OV/oViFka8YbFMWEWeg=="
Encrypted-Password = "{MD5}570a90bfbf8c7eab5dc5d4e26832d5b1"
Encrypted-Password = "{dechpwd}3|1234|85ad61e72a41dec4"
Encrypted-Password = "{nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4"
# This next one is also nthash:
Encrypted-Password = DCB8E94AC7D0AADC8A81D9C895ACE5F4
Encrypted-Password =
{mssql}01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA7959
C1A798ECD34514694A13D29ED57BE9CBE5DA
If there is no indication
of the encryption type in an Encrypted-Password, Radiator will assume it
is a Unix crypt(3) password if it is 13 or 20 bytes long (20 bytes is the
BSD/ OS DES extended format for crypt(3)), a binary NT hashed password if
it is 16 bytes long and a hex encoded NT hashed password if it is 32 bytes
long.
# Unix Crypt:
Encrypted-Password = 1xMKc0GIVUNbE
# Hex encoded NT Hashed password
Encrypted-Password = DCB8E94AC7D0AADC8A81D9C895ACE5F4
When
Radiator authenticates an MSCHAP or MSCHAP2 request, the default encrypted
password format is taken to be an MD4 hashed password, in the standard
Windows NT hashed password format (either hex encoded or
binary).
