3APA3A <[EMAIL PROTECTED]> wrote: > BTW: for MS-CHAPv1 Microsoft uses standard rad_pwencode() to encrypt > MS-CHAP-MPPE-Keys attribute. Currently I call rad_pwencode() from > rlm_mschap. May be we should process all rad_pwencode'd attributes in > the way we process Tunnel-Password encryption? That is instead of > calling rad_pwencode/rad_pwdecode for Password we should mark Password > and MS-CHAP-MPPE-Keys as encrypt=1 in the dictionary and handle all > encrypted attributes?
Yes, with one condition. Attributes received FROM a home server (proxy reply) should be marked as "already encrypted". When the server handles them, it should either leave them alone when sending, OR it should decrypt them as it receives them, and encrypt them before sending them out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
