----- Original Message ----- From: "Frank Cusack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 27, 2002 2:22 PM Subject: Re: radius + ldap backend
> On Thu, Jun 27, 2002 at 01:51:27PM -0700, Lance Uyehara wrote: > > A client of mine wants to use radius with an ldap backend where the > > passwords are stored sha hashed. > > I see in the freeradius faq there is some mention of using PAP passwords, > > but when I look at the radius rfc 2138, I don't understand what is meant by > > pap passwords. Isn't the user-password always md5'd using the authenticator? > > yes > > > Is there a way to send the access-request and not encrypt the password? > > no > > PAP is what happens between the user and the NAS, not what happens between > the NAS and the RADIUS server. With PAP, the RADIUS server gets the > password as plaintext (protected on the wire with md5 "encryption") and > hashes it, then compares it against the hash. This is confusing me. I believe, the RADIUS server is receiving the md5 hashed password, not plaintext, so it has to then hash the plaintext password it already has, using the supplied authenticator. Right? > > There is also CHAP, where the NAS sends the client a challenge, and the > client generates a response, using the user password as the key. In this > setup, the challenge and response are sent to the RADIUS server, but not > the user password. In order to verify the response, the server has to > perform the same encrypt operation the client did, and so it must have > access to the plaintext password in a database somewhere (as opposed to > PAP where only the hash of the password is stored). > > The advantage of PAP is you don't have to save plaintext passwords in > your db. The advantage of CHAP is that clients don't send their passwords > in the clear to the NAS--pretty much a non-issue for dialup but for Internet > access to the NAS (eg, PPTP VPNs) you need to weigh the risks of the two > mechanisms. > > /fc Thanks for your prompt response, but I am still confused. Thanks, Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
