(RADIATOR) EAP_LEAP_MSCHAP_Convert

Ingvar Berg (LI/EAB) ingvar.berg at ericsson.com
Thu Jan 19 01:22:27 CST 2006 

Hi,

The CHAP procedure needs the password in clear, but that doesn't prevent you from storing them in encrypted form. But it will be quite an overhead, both administrative (you'd like to change the key now an then) and at each authentication.

/Ingvar 

> -----Original Message-----
> From: owner-radiator at open.com.au 
> [mailto:owner-radiator at open.com.au] On Behalf Of António Fernandes
> Sent: den 18 januari 2006 19:02
> To: radiator at open.com.au
> Subject: RE: (RADIATOR) EAP_LEAP_MSCHAP_Convert
> 
> 
> Can't you use NTLM crypted passwords with CHAP? I think you 
> can... I'm using it to authenticate Windows VPN clients 
> against a MySQL database and it's working fine. You just have 
> to add "{nthash}" before the encrypted password and match it...
> 
> 
> Antonio Fernandes
> 
> 
> -----Original Message-----
> From: owner-radiator at open.com.au 
> [mailto:owner-radiator at open.com.au] On Behalf Of Ingvar Berg (LI/EAB)
> Sent: quarta-feira, 18 de Janeiro de 2006 15:39
> To: radiator at open.com.au
> Subject: RE: (RADIATOR) EAP_LEAP_MSCHAP_Convert
> 
>  
> 
> > -----Original Message-----
> > From: owner-radiator at open.com.au
> > [mailto:owner-radiator at open.com.au] On Behalf Of Joe Honnold
> > Sent: den 18 januari 2006 15:09
> > To: radiator at open.com.au
> > Subject: (RADIATOR) EAP_LEAP_MSCHAP_Convert
> > 
> > I read thru the release notes for 3.14 came across the 
> > EAP_LEAP_MSCHAP_Convert section.
> > 
> > "Added new parameter EAP_LEAP_MSCHAP_Convert that converts incoming 
> > LEAP requests to conventional Radius-MSCHAP requests that 
> can then be 
> > handled locally or proxied to a remote Radius server that cannot 
> > handle LEAP, but which can handle Radius-MSCHAP. Also added example 
> > config file goodies/eap_leap_proxy.cfg. Requested by Michael Ting."
> > 
> > I am interested in this as I think it may solve an issue I 
> have with 
> > LEAP using LDAP authentication.
> > When working on LEAP authentication I hit the limitation that LDAP 
> > passwords need to be stored in clear text.
> > Is it possible the EAP_LEAP_MSCHAP_Convert would solve this issue?
> > 
> > 1.  LEAP request is recieved.
> > 2.  Radiator using EAP_LEAP_MSCHAP_Convert makes the request a 
> > standard Radius-MSCHAPV2 request.
> > 3.  The request is handled locally or passed to another Radiator 
> > server that does Radius-MSCHAPV2 via LDAP.
> > 
> > What am I missing?
> 
> The problem is that MSCHAP, like any other CHAP, needs the pw 
> in clear.
> /Ingvar
> > TIA
> > 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list