From owner-freebsd-isp Mon Aug 19 21:35:44 1996 Return-Path: owner-isp Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA18701 for isp-outgoing; Mon, 19 Aug 1996 21:35:44 -0700 (PDT) Received: from databus.databus.com (databus.databus.com [198.186.154.34]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id VAA18688 for ; Mon, 19 Aug 1996 21:35:38 -0700 (PDT) From: Barney Wolff To: freebsd-isp@FreeBSD.ORG Date: Tue, 20 Aug 1996 00:27 EDT Subject: Re: newbie isp question Content-Type: text/plain Message-ID: <321940960.a57@databus.databus.com> Sender: owner-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Date: Mon, 19 Aug 1996 19:22:55 -0700 (PDT) > From: Michael Dillon > > > 2) radius. CHAP can't use radius with password pointing to > > unix password file, is that true? > > Not true. RADIUS is a protocol for a NAS (Network Access Server) to > communicate with an Authentication Server. The AS can use whatever it > wants to for verifying the password and user name. Since CHAP is part of > the PPP protocol set, the AS has nothing to do with it. If you have any > questions about CHAP and RADIUS you should be asking your NAS vendors > whether their PPP implementation will do CHAP and emit RADIUS queries. Actually, RADIUS has nothing to do with it. CHAP cannot be used with any one-way encryption of the user's password, because the actual password is needed as input to the CHAP MD5 computation. In case that was not clear, one more time: to do CHAP, *both* sides (caller and verifier) need access to the clear-text form of the user's password, so neither side can store it using one-way encryption, but must use reversible encryption or none at all. That applies whether the password is checked directly by the NAS or remotely by an auth server. You can't use the Unix password file to verify CHAP, whether you're doing it locally or asking an auth server to do it. Barney Wolff