Hi guys -
We've just hit a bit of a problem due to the fact that we store our user
passwords in encrypted format (in an LDAP database), but our provider's
NAS's (all 500 of them) specify CHAP before PAP, so dial-up clients
default to CHAP, and therefore do not authenticate.
Using PAP, the NAS sends the user's password in plaintext to the radius
server, which encrypts it and compares it to the locally stored (already
encrypted) password. If they match, the user is authenticated.(GOOD)
Using CHAP, the NAS encrypts the user's password via the shared secret,
and radiator tries to encrypt the locally stored plaintext password, (also
using the shared secret) and compares it to the encrypted password that
the NAS sent. If they match, the user is authenticated. But since we store
the passwords in encrypted format, this will not work.(BAD)
All of these things are very hard to change -
1.) we don't want to have to get our provider to default their NAS's to
PAP (even if that's possible)
2.) we don't want to have to store the user passwords in plaintext (this
would require massive change with our system)
3.) we don't want to have all the dial-up customers disable CHAP in their
networking settings (it should just work)
What we want is to be able to tell the NAS's via Radiator to auth via PAP
instead of CHAP - is this possible? It would solve all our problems.
(well, almost ;o)
Thanks in Advance,
Rob.
--
+-----------------------------+
Rob Hill
Systems Administrator
Dot Communications
Tel: (02) 9281 1111 Ext.101
+-----------------------------+
Rob Has Spoken.
+-----------------------------+
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
