> On Thu, Jun 27, 2002 at 03:28:01PM -0700, Lance Uyehara wrote: > > > > > > PAP is what happens between the user and the NAS, not what happens between > > > the NAS and the RADIUS server. With PAP, the RADIUS server gets the > > > password as plaintext (protected on the wire with md5 "encryption") and > > > hashes it, then compares it against the hash. > > > > This is confusing me. I believe, the RADIUS server is receiving the md5 > > hashed password, not plaintext, so it has to then hash the plaintext > > password it already has, using the supplied authenticator. Right? > > No, the RADIUS server is receiving the password which is xor'd with > the shared secret (and a random value) using md5. The RADIUS server > performs another xor and recovers the plaintext. > > The md5 that is happening is not just a pure hash of the value to be > protected.
I understand now. Thanks for clearing this up, Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
