[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    re: Faking CHAP?
From:       "Puneet B" <puneetb () myway ! com>
Date:       2003-12-31 18:56:35
Message-ID: 20031231185635.CCD88396A () mprdmxin ! myway ! com
[Download RAW message or body]


> CHAP request comes in, FreeRadius knows that we don't do chap, 
> it checks against the SYSTEM database, and returns accept or reject. 

If the passwords in your "SYSTEM" database are stored one-way hashed
(Eg: /etc/passwd) chap cant work. The protocol *requires* access to
a password in clear-text to do the authentication. FreeRadius can do
both CHAP and PAP for incoming requests if it has access to the 
password (eg in the "users" file). A very useful overview of PAP/CHAP
is in the FAQ: http://freeradius.org/faq/#4.4

> We really would like to just have ONE set of passwords if possible, 
> but if it isn't, I guess there isn't much I can do about it.

if that password can be accessed by freeRadius in cleartext form, then
that single password can do both PAP/CHAP. Eg: Sticking the password 
into an LDAP/SQL database or in the users file.

Puneet

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]