[RADIATOR] CHAP client question
Heikki Vatiainen
hvn at open.com.au
Mon Apr 30 03:37:11 CDT 2012
On 04/27/2012 03:43 PM, Markus Moeller wrote:
Hello Markus,
> I have a radius client which uses CHAP instead of PAP. Is there
> anything I need to change in the config to support this client ?
No, if you have a password database that has passwords in plaintext format.
> I noticed it works for me only with a user file with a cleartext
> password.
Yes, that is true. Generally, if the authentication protocol sends
password in plaintext format, any authentication method at RADIUS server
side can be used. Also, if the password database has the passwords in
plaintext format, most authentication protocols (using hashes,
plaintext, etc.) will work.
> If I use PAM ( the password which is passed to the pam
> module is emtpy) or MD5 encrypted password in the user file I get
> denied.
CHAP does not send a password. Instead it sends a hashed value that is
calculated based on the password and other information. So there is no
password that can be passed to PAM. In this case it does not matter what
format the user file has.
Note that if you used e.g., AuthBy FILE with plaintext passwords, CHAP
would work. However, the usual concerns about storing plaintext
passwords would apply in this case.
> All other PAP client work fine.
Yes, with PAM that sounds correct.
Thanks!
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list