On Wed, Jan 29, 2003 at 06:35:05PM -0600, Ryan Beisner wrote: > Hi All > > My problem is: when a Win9x machine dials and auths, it uses CHAP. > While I'm "tailing" the log file, it points out that it isn't gonna > work, and to read the FAQ. OK. > > Is there any way to allow CHAP authentication to LINUX SYSTEM accounts > (via passwd, shadow, etc) ??
no, but you CAN force the other end to only accept pap. We only accept PAP here, and as far as i know, all dialup accounts work without any special settings. we haven't had any customers complaining about it, and most of them end up using win95/98 that they borrowed from friends. here, we just set authenticate { authtype PAP { pap } pap } in the radiusd.conf, and it's working nicely. that said, the problem with chap is that the radius server *must* know the full password, since CHAP is in effect a shared-secret based authentication mechanism, and if it's encrypted using a one-way hash, you won't be able to get the password out of it to build the challenge/response packets. Personally, i'd rather risk someone breaking into the phone exchange and sniffing the password off the wire than someone lifting the entire set of passwords from my radius server. also, it's possible for you to actually add the cleartext password to /etc/raddb/users(.conf) and have that override the shadow password. less messing around than SQL, but harder to maintain, and still easy to steal. Andrew Pilley > > > Thanks in advance! > > -Ryan > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html