7.1.2. Encrypted-Password Previous topic Parent topic Child topic Next topic

An encrypted password. Passes only if the password sent in the Access-Request matches the given encrypted password. Most types of encrypted password only support PAP, not CHAP, MSCHAP or MSCHAPV2 authentication. Passwords encrypted with NT Hashed passwords can support PAP, MSCHAP and MSCHAPV2 authentication.
Encrypted-Password understands a number of encrypted formats: SHA, MD5, MD5 Mime, DEC Hashed passwords, NT Hashed passwords and standard Unix crypt. All the following match the plaintext password "fred":
Encrypted-Password = "{SHA}k1qAjger6rE9fhCrig+QPZ/HTrJhYWE="
Encrypted-Password = "{crypt}1xMKc0GIVUNbE"
# This next one is also crypt:
Encrypted-Password = "1xMKc0GIVUNbE"
Encrypted-Password = "$1$cTpht$Obu9PLSMst1TDou.mN5bk0"
Encrypted-Password = "1xMKc0GIVUNbE"
Encrypted-Password = "{MD5}qP0OV/oViFka8YbFMWEWeg=="
Encrypted-Password = "{MD5}570a90bfbf8c7eab5dc5d4e26832d5b1"
Encrypted-Password = "{dechpwd}3|1234|85ad61e72a41dec4"
Encrypted-Password = "{nthash}DCB8E94AC7D0AADC8A81D9C895ACE5F4"
# This next one is also nthash:
Encrypted-Password = DCB8E94AC7D0AADC8A81D9C895ACE5F4
Encrypted-Password =
{mssql}01003A54FC73501798169BEC84C05CA0D2FBB70009C2556313DA7959
C1A798ECD34514694A13D29ED57BE9CBE5DA
If there is no indication of the encryption type in an Encrypted-Password, Radiator will assume it is a Unix crypt(3) password if it is 13 or 20 bytes long (20 bytes is the BSD/ OS DES extended format for crypt(3)), a binary NT hashed password if it is 16 bytes long and a hex encoded NT hashed password if it is 32 bytes long.
# Unix Crypt:
Encrypted-Password = 1xMKc0GIVUNbE
# Hex encoded NT Hashed password
Encrypted-Password = DCB8E94AC7D0AADC8A81D9C895ACE5F4
When Radiator authenticates an MSCHAP or MSCHAP2 request, the default encrypted password format is taken to be an MD4 hashed password, in the standard Windows NT hashed password format (either hex encoded or binary).