From owner-freebsd-isp Mon Jun 8 03:12:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA10132 for freebsd-isp-outgoing; Mon, 8 Jun 1998 03:12:02 -0700 (PDT) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from freefall.pipeline.ch (intranet.pipeline.ch [195.134.128.66]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA10093 for ; Mon, 8 Jun 1998 03:11:52 -0700 (PDT) (envelope-from andre@pipeline.ch) Received: from pipeline.ch ([195.134.128.41]) by freefall.pipeline.ch (Netscape Mail Server v2.02) with ESMTP id AAA352; Mon, 8 Jun 1998 12:10:53 +0200 Message-ID: <357BB8B1.55C43D5@pipeline.ch> Date: Mon, 08 Jun 1998 12:10:57 +0200 From: "IBS / Andre Oppermann" Organization: Internet Business Solutions Ltd. (AG) X-Mailer: Mozilla 4.03 [en] (WinNT; U) MIME-Version: 1.0 To: Andreas Klemm CC: isp@FreeBSD.ORG Subject: Re: how does PPP CHAP work ? References: <19980608115605.21479@hightek.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andreas Klemm wrote: > > Hi ! > > I need some quick advice about PPP CHAP, hope you can help. Yes 8-) > I have an USR TC Access Router. We only use PAP authentication. > A typical Radius entry looks like this: > > username password, etc ... and then > User-Service-Type = Framed-User, > Framed-Protocol = PPP, > Port-Limit = 1, > Framed-IP-Address = 195.90.205.247, > Framed-Netmask = 255.255.255.0, > Framed-Routing = None, > Framed-Compression = None, > Framed-MTU = 1500 > > Would that PAP client be able to authenticate via CHAP with the > same RADIUS authentication entry ? I heard from USR tech support, > that both pap and chp is supported. No. You have two problems: 1. PAP passwords are in clear text 2. CHAP is not CHAP, there is one CHAP standard and MS-CHAP Please read the discussion in Brians newest userland-ppp 3. CHAP passwords need special handling on the RADIUS server (Challenge Handshake Auth Protocol) > A collegue of mine claims, that it would'nt be possible, because > CHAP would use a two way handshake, that means, our access router > would have to authenticate itself with username and password on > the client access router. No, that depends on your configuration. > On the other hand I didn't find any hint in the official radius > 2.0.1 manual, that there is a switch/token, what authentication > to use (PAP or CHAP) and no config tokens, where I could set the > login and password we'd user to authenticate us on the client. Well, I allow only PAP at the moment because of those problems but I think you need a CHAP password entry with an special encrypted password (with the RFC CHAP or MS-CHAP). But that depends IMO on the RADIUS client/Dial-In server. > My own experiences told me, that I have to login myself on > Cisco's using CHAP and on the cisco client router I don't > provide a special entry for the Access Server (Cisco Router at > the ISP). -- Andre Oppermann CEO / Geschaeftsfuehrer Internet Business Solutions Ltd. (AG) Hardstrasse 235, 8005 Zurich, Switzerland Fon +41 1 277 75 75 / Fax +41 1 277 75 77 http://www.pipeline.ch ibs@pipeline.ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message