On Wed, Jan 29, 2003 at 06:35:05PM -0600, Ryan Beisner wrote:
> Hi All
>
> My problem is: when a Win9x machine dials and auths, it uses CHAP.
> While I'm "tailing" the log file, it points out that it isn't gonna
> work, and to read the FAQ. OK.
>
> Is there any way to allow CHAP authentication to LINUX SYSTEM accounts
> (via passwd, shadow, etc) ??
no, but you CAN force the other end to only accept pap. We only accept
PAP here, and as far as i know, all dialup accounts work without any
special settings. we haven't had any customers complaining about it, and
most of them end up using win95/98 that they borrowed from friends.
here, we just set
authenticate {
authtype PAP {
pap
}
pap
}
in the radiusd.conf, and it's working nicely.
that said, the problem with chap is that the radius server *must* know
the full password, since CHAP is in effect a shared-secret based
authentication mechanism, and if it's encrypted using a one-way hash,
you won't be able to get the password out of it to build the
challenge/response packets.
Personally, i'd rather risk someone breaking into the phone exchange and
sniffing the password off the wire than someone lifting the entire set
of passwords from my radius server.
also, it's possible for you to actually add the cleartext password to
/etc/raddb/users(.conf) and have that override the shadow password. less
messing around than SQL, but harder to maintain, and still easy to
steal.
Andrew Pilley
>
>
> Thanks in advance!
>
> -Ryan
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
