Skip to content

Password Comparison

Password comparison feature is used to authenticate users against a hashed password that is stored in an optional attribute, rather than the standard password attribute, in the user repository. This feature is specifically designed to work with Microsoft Active Directory user repository.

The field containing the hashed password can be any one of the user attributes in Active Directory and it is specified from Mideye Server. This attribute must contain the (case sensitive) hashed password, Base64 encoded as shown below: {HASH_TYPE}hashed_Password_Base64_Encoded.

An account with appropriate permissions for accessing Active Directory in order to retrieve user information (including the field containing the hashed password) is needed.

Note

When Password Comparison is used, Activate LDAP user locking feature will be enabled automatically and it is impossible to disable it. The reason is to prevent brute force attacks by locking the user in Mideye Server after a certain number of failed login attempts for a specified time. Max failed user attempts indicate the number of failed login attempts after which the user will be locked and the Number of minutes locked the duration for which the user will remain locked.

Supported Password Hashes

The supported password hashes are:

  • SHA: SHA-1 hash algorithm
  • SSHA: Salted SHA
  • CRYPT: Unix crypt function
  • MD5: MD5 hash algorithm
  • SMD5: Salted MD5 algorithm

In order to produce valid password hashes, the plain text password must be UTF-8 encoded and the hash must be Base 64 encoded, as explained in the following example.

Hashing Process

The hashing process is as follow:

  1. Hash the UTF-8 plain text password to any of the supported hash algorithms

Example

MD5 hash for "password": 5f4dcc3b5aa765d61d8327deb882cf99

ㅤ 2. Encode the hash to Base 64 format

Example

Hex Input: 5f4dcc3b5aa765d61d8327deb882cf99
Base64 Output: X03MO1qnZdYdgyfeuILPmQ==

ㅤ 3. The encoding used to produce the password hash and the one used by the RADIUS client must be the same. Prepend the hash algorithm name placed between curly brackets to the result, possible hashes of the password “password” are: ㅤ

  • {SSHA}VtpoxGYLenxwGC88loHYDwb1SpqBbOb6c1OyZiyAQcgFYPPnqRFviA==
  • {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=
  • {CRYPT}aajfMKNH1hTm2
  • {MD5}X03MO1qnZdYdgyfeuILPmQ==
  • {SMD5}swXK27O85U86pZxk/sAN6nNhbHQ=

The strings stored for the password comparison in the repository are case sensitive, thus in the following scenarios:

  • {CRYPT}aajfMKNH1hTm2 | will work
  • {crypt}aajfMKNH1hTm2 | will fail

Usage Example

Mideye Server is configured to have an LDAP server working, so it is possible to perform a User Search from the LDAP Server Configuration dialog.

To enable password comparison, in the LDAP Server Configuration dialog, select the Authentication tab.

Use the Password Override field to specify the desired user attribute in Active Directory for the hashed password storage. In this example, the user attribute physicalDeliveryOfficeName is specified to store the hashed password.

Provide that all the other configurations such as authentication type, mobile number and/or token number are correct, after saving the Mideye Server it is possible to perform a RADIUS authentication against the hashed password present in the specified field for the configured LDAP server.