Date: Mon, 08 Jun 1998 12:10:57 +0200 From: "IBS / Andre Oppermann" <andre@pipeline.ch> To: Andreas Klemm <aklemm@hightek.com> Cc: isp@FreeBSD.ORG Subject: Re: how does PPP CHAP work ? Message-ID: <357BB8B1.55C43D5@pipeline.ch> References: <19980608115605.21479@hightek.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Andreas Klemm wrote: > > Hi ! > > I need some quick advice about PPP CHAP, hope you can help. Yes 8-) > I have an USR TC Access Router. We only use PAP authentication. > A typical Radius entry looks like this: > > username password, etc ... and then > User-Service-Type = Framed-User, > Framed-Protocol = PPP, > Port-Limit = 1, > Framed-IP-Address = 195.90.205.247, > Framed-Netmask = 255.255.255.0, > Framed-Routing = None, > Framed-Compression = None, > Framed-MTU = 1500 > > Would that PAP client be able to authenticate via CHAP with the > same RADIUS authentication entry ? I heard from USR tech support, > that both pap and chp is supported. No. You have two problems: 1. PAP passwords are in clear text 2. CHAP is not CHAP, there is one CHAP standard and MS-CHAP Please read the discussion in Brians newest userland-ppp 3. CHAP passwords need special handling on the RADIUS server (Challenge Handshake Auth Protocol) > A collegue of mine claims, that it would'nt be possible, because > CHAP would use a two way handshake, that means, our access router > would have to authenticate itself with username and password on > the client access router. No, that depends on your configuration. > On the other hand I didn't find any hint in the official radius > 2.0.1 manual, that there is a switch/token, what authentication > to use (PAP or CHAP) and no config tokens, where I could set the > login and password we'd user to authenticate us on the client. Well, I allow only PAP at the moment because of those problems but I think you need a CHAP password entry with an special encrypted password (with the RFC CHAP or MS-CHAP). But that depends IMO on the RADIUS client/Dial-In server. > My own experiences told me, that I have to login myself on > Cisco's using CHAP and on the cisco client router I don't > provide a special entry for the Access Server (Cisco Router at > the ISP). -- Andre Oppermann CEO / Geschaeftsfuehrer Internet Business Solutions Ltd. (AG) Hardstrasse 235, 8005 Zurich, Switzerland Fon +41 1 277 75 75 / Fax +41 1 277 75 77 http://www.pipeline.ch ibs@pipeline.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?357BB8B1.55C43D5>