RADIATOR doesn't decrypt the password. It, instead, encrypts the
password it receives from the NAS and compares the two encrypted
passwords.
-Steve
----- Original Message -----
From: "Felicetti, Stephen A." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 11, 2000 2:09 PM
Subject: (RADIATOR) Decrypting passwords for authentication
> Hi there!
>
> I have a question about the way Radiater de-crypts the passwords that
are
> held in my LDAP directory.
> The passwords are stored in standard unix crypt format.
> I'm using a Cisco NAS to request authentication for its dialin peers.
>
> Here's my understanding of how things work. The end user via PAP sends
the
> plaintext username/password to the NAS.
> The NAS uses the radius secret to encrypt the password on the internal
> network on it's way to Radiater.
> Radiater de-crypts the user password, and compares it to the password
> retrieved from LDAP.
> I'm assuming that Radiater must first de-crypt the LDAP password
before the
> comparison.
> Is this correct?
>
> Now here is why I ask.....I need to begin using CHAP on the NAS. I
> understand that CHAP requires plaintext passwords in LDAP.
> If Radiater normally de-crypts the password prior to the comparison
(w/
> PAP), then can't it de-crypt the LDAP password BEFORE applying the
CHAP
> one-way hash? Thereby applying the hash to a plaintext password?
>
> Thanks alot!!!
> Steve
>
>
>
>
>
>
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Stephen A. Felicetti Sr. Network Engineer
> mailto:[EMAIL PROTECTED] Fox Chase Cancer Center
> 215-728-2956 (v)
> 215-728-2513 (f)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
