At 02:33 PM 5/15/2002 +1000, Gary Barnden wrote:
>Andrew,
>
>Pretty easy actually, easier than one would think
Really, do tell. Depending on the type of authentication ( assuming CHAP
or PAP, leaving out EAP for now ), the password is never transmitted in the
clear from the NAS to the Radius.
With PAP, the password is sent encoded as a reversable MD5 hash. Reversing
the hash will result in the cleartext password for that user. Knowing the
'shared secret' will allow the reversal of the MD5 hash.
With CHAP, the password itself is not sent, but rather a computed value
by the end-user that uses the password and known vector as the inputs. It
is not possible to extract the actual password from this method.
The downside ( IMHO ) to CHAP is that it requires you to store passwords
in either plaintext or a reversible hash ( as the radius server *must*
also have access to the plaintext password to verify the authentication ).
If someone has the ability to sniff traffic between your NAS and the
radius server, you probably have a lot more issues to worry about, in terms
of physical security on your network. I'd be more worried about a single
compromise of the radius server exposing *all* of your users passwords
in the case of CHAP, than possibly extracting *some* of your users passwords
via the use of PAP, where a server compromise would expose your shared
secrets, but not your user passwords.
EAP also addresses many of these issues, but is not yet widely supported
on dialup NAS, though it does seem to be used on quite a few
Wireless/Ethernet access products.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
