But other more commercial radius packages such as steel belted and such allow
this.

Frankly I dont see why this is a big deal.  Why cant radiusd simply take the
password handed to it by CHAP and then compare it to the system shadow file
instead of the plain text password given in the users file?

If you can auth from a plain text file or a sql database then the protocol clearly
does not care where you compare the password to and it is a restriction of free
radius and not the protocol.

Russell



Chris Parker wrote:

> At 05:18 PM 10/23/2001 -0400, Russell Enderby wrote:
> >The FAQ says to do this:
> >
> > >So, if you're using CHAP, for each user entry you must use:
> > >
> > >        Auth-Type = Local, Password = "stealme"
> > >
> > >If you're using only PAP, you can get away with:
> > >
> > >        Auth-Type = System
> >
> >In the users file I changed the default line from
> >Auth-Type=System to
> >Auth-Type := Local, Password == "stealme"
> >
> >and by doing this all users have to use 'stealme' as their password then to
> >authenticate.  Certainly this is not how CHAP protocol is supposed to
> >work.  What
> >I need is to be able to do PAP and CHAP using the System to check the unix
> >shadow
> >file for their password to authenticate correctly.
> >
> >It seems this change does no do that.
> >
> >Does anyone else know how to do this kind of authentication?
>
> Read further.  You can't.  In order to do CHAP you *must* store the
> passwords in plaintext locally in the users file ( or sql database ).
>
> You *CANNOT* use CHAP authentication with encrypted system passwords.
>
> Sorry, that's how CHAP was designed.
>
> If you want to support both, you need to cater to the least common
> denominator, and that's CHAP.
>
>    PAP:  Works with encrypted and non-encrypted passwords.
>    CHAP: Works with non-encrypted passwords.
>
> -Chris
> --
>     \\\|||///  \  Chris Parker    -    Manager, Development Engineering
>     \ ~   ~ /   \       WX *is* Wireless!    \   [EMAIL PROTECTED]
>     | @   @ |    \   http://www.starnetwx.net \      (847) 963-0116
> oOo---(_)---oOo--\------------------------------------------------------
>                    \ Without C we would have 'obol', 'basi', and 'pasal'
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to