At 11:22 AM 3/21/2002 -0500, Shawn O'Shea wrote:
> >
> > > Wed Mar 20 15:35:57 2002 : Auth: Login incorrect:
> > > [{ed: whatever username -sko}/<CHAP-Password>] (from nas
> > > UNKNOWN-NAS port 0 cli 8475061520)
> > >
> > > If I use just User-Password, this works like a dream. Any suggetions?
> >
> > Don't use CHAP.
>
>Ok, well the UUNET docs states that I can use PAP or CHAP. Here's what
>their doc says about it though:
>
>Althought the REseller may not be using CHAP, they must configure their
>RADIUS server to respond to a CHAP request by requesting PAP
>authentication after declining CHAP. This is done during the LCP phase of
>creating a PPP session.
>
>Is this doable in freeradius?
Not really a function of RADIUS. The LCP phase of the PPP session is
between the dialup-client ( end-user ) and the NAS. Radius is not
involved until after the LCP negotiation is done.
UUNet wants you do this because they primarily run Ascend TNTs. In
presenting the authentication types to the dialup-client the older
Ascend code offered CHAP first, and if that was refused, offered PAP.
The one problem with this is Windows DUN if offered CHAP will always
accept it ( so you'd never get to PAP ). They changed this in about
TAOS 9.x, where there is an option called 'PAP preferred' to set the
auth method. This reverses the order they are presented so that PAP is
given as the first option, and CHAP as the second option.
Windows DUN *can* be made to reject PAP and use CHAP ( via the 'Require
Encrypted Password' option ), but it *cannot* be made to reject CHAP
if it is offered.
> > From what I recall, the LDAP module tries to authenticate to the
> > LDAP server, usin g the username/password supplied in the packet.
> > Therefore, it needs access to the plain-text password, as it's telling
> > you.
>
>Running freeradius in debug mode, this is indeed what the LDAP module is
>doing. After reading through the section of the FAQ you pointed out, and
>the "Interoperation wi� PAP and CHAP" section of RFC2138 I'm starting to
>understand what the deal is.
If effect, though UUNet "supports" PAP, you can only use that if the
clients reject CHAP, which DUN can't do. So in effect, UUNet is CHAP
only ( unless you have a non Windows DUN client that can be made to
reject CHAP ).
Good luck trying to get UUNet to change. You're going to have to figure
out how to get CHAP working with LDAP, because you won't be able to get
PAP requests sent.
> > The alternative is to use a DB which stores the password in clear text.
Or to use a dialup wholesaler that offers PAP first and CHAP second, so
that you can actually receive PAP requests. ;)
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
