Hi
I'm having issues setting up radius authentication.
I can see the requests on the server but the server is returning
The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.
I'm using windows 2016 network policy server.
Thanks!
[Solved] Radius setup
Hi,
EDIT:
Since 1.7.2, you can select CHAP or PAP - configurable in Radius settings.
Original post:
As you see, Unimus uses CHAP for user auth against Radius.
CHAP (and MSCHAP and MSCHAPv2) require that the Radius server can read user passwords.
By default, in Windows AD, user passwords are hashed, so NPS can not auth users with CHAP, since it doesnt know the users password, because of the hashing.
You can tell AD to use encryption for passwords, by selecting "Store password using reversible encryption" in user properties ("Account" tab), and then resetting the users password. This way, NPS can actually decrypt and read the users password.
Basically, there are 2 protocols that Radius can use for authentication - PAP and CHAP (and CHAPs MS variants).
CHAP requires that the client and the server both know users password, but communication over the network is NOT cleartext.
PAP can work when user passwords are hashed on the server, but communication over the network IS cleatext.
We use CHAP, because for obvious reasons sending user credentials over the network in cleartext is bad
EDIT:
Since 1.7.2, you can select CHAP or PAP - configurable in Radius settings.
Original post:
As you see, Unimus uses CHAP for user auth against Radius.
CHAP (and MSCHAP and MSCHAPv2) require that the Radius server can read user passwords.
By default, in Windows AD, user passwords are hashed, so NPS can not auth users with CHAP, since it doesnt know the users password, because of the hashing.
You can tell AD to use encryption for passwords, by selecting "Store password using reversible encryption" in user properties ("Account" tab), and then resetting the users password. This way, NPS can actually decrypt and read the users password.
Basically, there are 2 protocols that Radius can use for authentication - PAP and CHAP (and CHAPs MS variants).
CHAP requires that the client and the server both know users password, but communication over the network is NOT cleartext.
PAP can work when user passwords are hashed on the server, but communication over the network IS cleatext.
We use CHAP, because for obvious reasons sending user credentials over the network in cleartext is bad
-
- Posts: 2
- Joined: Fri May 12, 2017 1:43 am
Awesome i have it working now.
Also just incase anyone else has this issue you also have to reset the users password after the policy is changed.
Also just incase anyone else has this issue you also have to reset the users password after the policy is changed.