On Thu, Jun 27, 2002 at 03:28:01PM -0700, Lance Uyehara wrote: > > > > PAP is what happens between the user and the NAS, not what happens between > > the NAS and the RADIUS server. With PAP, the RADIUS server gets the > > password as plaintext (protected on the wire with md5 "encryption") and > > hashes it, then compares it against the hash. > > This is confusing me. I believe, the RADIUS server is receiving the md5 > hashed password, not plaintext, so it has to then hash the plaintext > password it already has, using the supplied authenticator. Right?
No, the RADIUS server is receiving the password which is xor'd with the shared secret (and a random value) using md5. The RADIUS server performs another xor and recovers the plaintext. The md5 that is happening is not just a pure hash of the value to be protected. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
