Hello Herb -
On Tue, 03 Oct 2000, Herbert Kornfeld wrote:
> Hi,
>
> I'm trialling Radiator 2.16 with AuthbyLDAP2. But I can't work out how
> to support CHAP. Or rather, I can't work out why it works.
>
> The NAS is sending User-Name and CHAP-Password attributes to radiator. But
> I don't understand what radiator then looks for in my directory.
>
> The RFC says that the "radius server looks up a password based on the
> User-Name" (section 2.2 of RFC2865), does some MD5 stuff and compares the
> results to the contents of CHAP-Password.
>
> Does this simply mean the User-Password attribute? Or do I have to store
> something else in my directory?
>
> Like I said, it seems to work just with User-Name and User-Password stored
> in clear in the directory, but I want to understand it so I can be sure.
>
Blaz Zupan <[EMAIL PROTECTED]> has already responded to this message (thanks Blaz),
but just for completeness, here is the full story.
As Blaz rightly points out, you must have cleartext passwords in your user
database to be able to use CHAP (or MS-CHAP) as the server must perform the
same encryption as the client so the results can be compared. If you use PAP on
your NAS, you can have encrypted passwords in your database, as the radius
server can encrypt the cleartext password in the PAP request, and again do the
comparison with the contents of the database.
Note from the above that MS-CHAP is now supported (with PAP) in a patch to
Radiator 2.16.3 (see http://www.open.com.au/radiator/downloads/patches-2.16.3/).
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
