Frank Cusack wrote:
>
> On Tue, Sep 17, 2002 at 09:39:14AM +0800, Nicholas Sim wrote:
> > We manage to log the user but not the password of the user, even though
> > we put 'yes' to all of the attributes in the radius.conf.
> >
> > Wed Aug 14 21:57:16 2002 : Auth: Login incorrect: [william/<no User-Password
> > attribute>] (from client private-network-1 port 37 cli 00082131a705)
> >
> > Why?
>
> If the user is authenticating via CHAP the password is not available. The
> log message seems to indicate that this is the case, but you can be sure
> by doing radiusd -X to see how the user authenticated.
Frank, you are of course right talking about the problem itself however
it's not actually CHAP in that case, it's EAP/MD5 according to the
question. EAP/MD5 is pretty much the same though there are major
differencies in the real produced network packets. anyway, the idea _IS_
the same: the password is not available in clear on the wire or on the
mid-way, i.e. proxy etc. One of the differencies between CHAP and
EAP/MD5 is the production of the challenge: as far as i know, in the
CHAP case it's NAS which generates challenges. with EAP/MD5 it's
freeradius.
Nicholas: on the mid-way they only see MD5 hashes of
challenges+passwords. only the authentication ends know the passwords
and could log them, but this is kind of completely useless, just look it
up in the config file.
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
