Robert Sink <[EMAIL PROTECTED]> wrote: > When we configure the Microsoft VPN Server Software (hosted on a > Windows 2000 Server Machine) to utilize RADIUS, I find that > authentication/authorization simply doesn't work...for any number of > reasons.
The main one of which is: > rlm_unix: Attribute "User-Password" is required for authentication. That's the key reason. > Now, what irks me and let me admit first that I don't fully understand > the dogma of the *CHAP protocols nor RADIUS for that matter, is that > we have to involve the CHAP 'stuff' with the RADIUS server, period. > That is, why can't the M$CHAP stay between the VPN client and server, > with the server simply doing a standard RADIUS user/password lookup > with the shared key? Because the MS-CHAP stuff smashes the password. It's *impossible* to recover the plain-text password from MS-CHAP. > I'm certain there are probably good reasons for this, though > I am writing here hoping to find help and/or configuration tips that > might allow me to do a M$CHAP->RADIUS->Solaris Shadow password > authentication. You can't, sorry. It's impossible. Read the FAQ, about CHAP authentication. The same problems apply to MS-CHAP. You REQUIRE the plain-text password to do MS-CHAP authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
