Date: Mon, 8 Jun 1998 17:23 EDT From: Barney Wolff <barney@databus.com> To: freebsd-isp@FreeBSD.ORG Subject: Re: how does PPP CHAP work ? Message-ID: <357c59a20.6c5d@databus.databus.com>
next in thread | raw e-mail | index | archive | help
There is much confusion here. If Radius server's user file contains the user's actual password, either in clear text or in reversably encrypted form, CHAP will work fine. If you are using the Unix passwd file to authenticate, CHAP will not work, because the server needs the actual password to check the CHAP response. In the freely available Livingston-based (1.16) Radius server, there is no distinction in the users file for PAP or CHAP authentication, and a given user can be authenticated either way (not recommended, but sometimes convenient). Quite separate from this, some cisco routers do bidirectional authentication when connecting. Nothing in standard Radius gives any way to specify how the NAS should respond if the caller wants to authenticate the NAS. By the time a Radius request comes to the server, the decision of PAP/CHAP has already been made, by LCP negotiation between the NAS and the caller. Microsoft clients can use either standard CHAP or MS-CHAP. RAS, as a dialin server, uses MS-CHAP by default and will not work with a standard Radius server. That's changed in NT 5 (some service pack) so that NT can be configured to proxy to a standard Radius server, provided the server is right up-to-date. For example, NT sends the CHAP challenge as a Radius attribute rather than in the Authenticator. Legal, but an old Radius server won't like it. Barney Wolff <barney@databus.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?357c59a20.6c5d>