On Fri, Mar 30, 2012 at 6:54 AM, Timothy White <[email protected]> wrote: > Is it possible on the proxy server, to catch the challenge and > response when the normal server is running, store them, and then issue > the same challenge and same chap-success from the "welcome" server > when another request is made?
You mean similar to replay attack? Nope. >From http://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol " CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and of a variable challenge-value. CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network. The MS-CHAP variant does not require either peer to know the plaintext, but has other drawbacks. " More complete information should be available on the RFCs, but that short summary is good enough for me :) -- FAN - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
