Luis Daniel Lucio Quiroz schrieb: > Isn't it a seccurity problem clear tex password to permit > CHAP?
Depending on your configuration, it may be one. Essentially, there are two possible points of attack: - the network: Try to intercept "the password" during transfer. - the configuration files: Try to read/modify user passwords. Now you can use either "PAP" (transfer clear-text password and compare it's hash value with the hash value stored on the server) - safe against stealing password from server (only hash value is stored), but risky if your network is not secure. Or you can use "CHAP" (get a challenge, encrypt the challenge using your password as "encryption key", server needs to know the correct "encryption key" to verify the correctness of the clients encryption) - safe against snooping on the network, but password is stored on the server. >From my point of view, if you can steal passwords from the server, you likely can steal information needed to send "false" accept packets as well, i.e. if an attacker can get to the CHAP passwords, your security is compromised anyway and there (usually) is more interesting stuff for the attacker than stealing passwords. OTOH, network sniffing is "easily" done, so PAP really isn't a good alternative, even though it's not quite as dumb as my description makes it sound (it's not really clear text, it's encrypted usind the shared RADIUS secret, but there you can try dictionary attacks and it's stored on both client and server in clear text, so if you think, CHAP is a problem, than PAP is no better than a clear-text password transfer). Regards, Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html