Hi,
I
have recently experienced the same issues as yourself. This
isn't going to help solve your problem but it will allow for a better
understanding of the situation.
The
"passwords" used in CHAP are actually a one-way hash generated by the client
machine, using the password entered by the user, and the "challenge" sent by the
NAS. At the Radius server the same is done with the same "challenge" from the
NAS and the clear-text password stored in the db. The RADIUS server
compares the two hashes, giving an accept or deny.
The
"challenge" is different every time a connection is made resulting in new hash
every time. If an attacker intercepted the packets he-she would see
the hash which cannot be reversed to give the password.
As you
can see, with CHAP, the clear text password is a requirement at both ends
of the connection.
Regards Mike D.
[Michael Davidson] -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Tjeerd Bos
Sent: 11 June 2003 12:44
To: [EMAIL PROTECTED]
Subject: RE: freeradius ldap and chap authentication problems
I know what the problem is:
In our ldap the passwords are not stored in clear text. Other applications needs them encrypted. Chap needs passwords stored in clear text on ldap.Isn't it possible to introduce a ldap encrypt module in rlm ldap so that the encrypted password matches the encrypted userPassword in ldap?
greetings,
Tjeerd BosPinkRoccade Infra Structures
Apeldoorn
