From owner-freebsd-isp  Mon Jun  8 14:38:10 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA13644
          for freebsd-isp-outgoing; Mon, 8 Jun 1998 14:38:10 -0700 (PDT)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from databus.databus.com (databus.databus.com [198.186.154.34])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA13587
          for <freebsd-isp@FreeBSD.ORG>; Mon, 8 Jun 1998 14:37:52 -0700 (PDT)
          (envelope-from barney@databus.databus.com)
From: Barney Wolff <barney@databus.com>
To: freebsd-isp@FreeBSD.ORG
Date: Mon, 8 Jun 1998 17:23 EDT
Subject: Re: how does PPP CHAP work ?
Content-Type: text/plain
Message-ID: <357c59a20.6c5d@databus.databus.com>
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

There is much confusion here.

If Radius server's user file contains the user's actual password, either
in clear text or in reversably encrypted form, CHAP will work fine.  If
you are using the Unix passwd file to authenticate, CHAP will not work,
because the server needs the actual password to check the CHAP response.
In the freely available Livingston-based (1.16) Radius server, there is
no distinction in the users file for PAP or CHAP authentication, and
a given user can be authenticated either way (not recommended, but
sometimes convenient).

Quite separate from this, some cisco routers do bidirectional authentication
when connecting.  Nothing in standard Radius gives any way to specify
how the NAS should respond if the caller wants to authenticate the NAS.

By the time a Radius request comes to the server, the decision of PAP/CHAP
has already been made, by LCP negotiation between the NAS and the caller.

Microsoft clients can use either standard CHAP or MS-CHAP.  RAS, as a
dialin server, uses MS-CHAP by default and will not work with a standard
Radius server.  That's changed in NT 5 (some service pack) so that NT
can be configured to proxy to a standard Radius server, provided the
server is right up-to-date.  For example, NT sends the CHAP challenge
as a Radius attribute rather than in the Authenticator.  Legal, but an
old Radius server won't like it.

Barney Wolff  <barney@databus.com>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message