PEAP without credentials

Stefan.Neis at t-online.de Stefan.Neis at t-online.de
Sat Sep 17 02:20:02 CEST 2005


        Hi,

> I thought the username/passwd is transfered while the shake-hand.

Yes and no. I.e. it depends on the precise protocol you're using. For some
of them (mostly PAP, EAP-TTLS/PAP), the password is transfered in an encrypted
form. For others (CHAP, MSCHAP, EAP-MD5, PEAP), the password is only used to
perform a computation on a "challenge" presented by the server and only the
"reply" to the challenge is transferred. Those protocols are designed in a
way to make it impossible to obtain the cleartext password from challenge and
response, so an attacker doesn't get any hint about the password.

> So it wouldn't be able to reuse this transfered (encrypted or not) password
> for the connection?

No, the problem in the case of MSCHAP is, that you _do_ need the cleartext
password and can't obtain it from the data transfered.

> When I look in my radius log, it shows me the clear-text
> password of everyone who tries to auth.

Then, you're either using a PAP based protocol for those tests where the
password is shown, or it shows you the password it got from the "database"
(users file, SQL, whatever)

> I would use that transfer to copy username & Passwd and store it in a db,
> so for the rest of the auth and autz the server would have the passwd.

No such transfer is taking place in the case of PEAP; just as I already said
in my first reply:
> > ..., there's no
> > way to extract the clear text password from the request, ...

Just look at the raw RADIUS paket via e.g. ethereal, if you're unwilling
to believe my words ...

        Regards,
	        Stefan	






More information about the Freeradius-Users mailing list