But other more commercial radius packages such as steel belted and such allow this.
Frankly I dont see why this is a big deal. Why cant radiusd simply take the password handed to it by CHAP and then compare it to the system shadow file instead of the plain text password given in the users file? If you can auth from a plain text file or a sql database then the protocol clearly does not care where you compare the password to and it is a restriction of free radius and not the protocol. Russell Chris Parker wrote: > At 05:18 PM 10/23/2001 -0400, Russell Enderby wrote: > >The FAQ says to do this: > > > > >So, if you're using CHAP, for each user entry you must use: > > > > > > Auth-Type = Local, Password = "stealme" > > > > > >If you're using only PAP, you can get away with: > > > > > > Auth-Type = System > > > >In the users file I changed the default line from > >Auth-Type=System to > >Auth-Type := Local, Password == "stealme" > > > >and by doing this all users have to use 'stealme' as their password then to > >authenticate. Certainly this is not how CHAP protocol is supposed to > >work. What > >I need is to be able to do PAP and CHAP using the System to check the unix > >shadow > >file for their password to authenticate correctly. > > > >It seems this change does no do that. > > > >Does anyone else know how to do this kind of authentication? > > Read further. You can't. In order to do CHAP you *must* store the > passwords in plaintext locally in the users file ( or sql database ). > > You *CANNOT* use CHAP authentication with encrypted system passwords. > > Sorry, that's how CHAP was designed. > > If you want to support both, you need to cater to the least common > denominator, and that's CHAP. > > PAP: Works with encrypted and non-encrypted passwords. > CHAP: Works with non-encrypted passwords. > > -Chris > -- > \\\|||/// \ Chris Parker - Manager, Development Engineering > \ ~ ~ / \ WX *is* Wireless! \ [EMAIL PROTECTED] > | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 > oOo---(_)---oOo--\------------------------------------------------------ > \ Without C we would have 'obol', 'basi', and 'pasal' > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
