On Thu, Jun 27, 2002 at 01:51:27PM -0700, Lance Uyehara wrote: > A client of mine wants to use radius with an ldap backend where the > passwords are stored sha hashed. > I see in the freeradius faq there is some mention of using PAP passwords, > but when I look at the radius rfc 2138, I don't understand what is meant by > pap passwords. Isn't the user-password always md5'd using the authenticator?
yes > Is there a way to send the access-request and not encrypt the password? no PAP is what happens between the user and the NAS, not what happens between the NAS and the RADIUS server. With PAP, the RADIUS server gets the password as plaintext (protected on the wire with md5 "encryption") and hashes it, then compares it against the hash. There is also CHAP, where the NAS sends the client a challenge, and the client generates a response, using the user password as the key. In this setup, the challenge and response are sent to the RADIUS server, but not the user password. In order to verify the response, the server has to perform the same encrypt operation the client did, and so it must have access to the plaintext password in a database somewhere (as opposed to PAP where only the hash of the password is stored). The advantage of PAP is you don't have to save plaintext passwords in your db. The advantage of CHAP is that clients don't send their passwords in the clear to the NAS--pretty much a non-issue for dialup but for Internet access to the NAS (eg, PPTP VPNs) you need to weigh the risks of the two mechanisms. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
