Help: PAP with Sha1

alan buxey A.L.M.Buxey at
Fri Apr 20 15:00:16 CEST 2012


>    Although the AVP User-Password is shown here in clear text, it was not
>    transmitted to the server in clear text. FreeRADIUS uses the shared secret
>    to encrypt and decrypt the value of the User-Password AVP.

correct. it was encrypted using the shared-secret , the RFCs give full documentation
on how this works. 

>       This is what I am looking for. What is the place where RADIUS does
>    decrypt operation.

just using SHA1 one wont make it FIPS compliant as far as I can see - if it
did then there would have been a mas rush for a new RADIUS RFC with such a 
'simple' change.   if you want to use 'industrial strength' for the transport of 
credentiuals in then use RADIUS with TLS over TCP (aka RADSEC). 

alternatively, dont use PAP for the password! make the User-Password be SHA1
or SHA256 instead....the server can quite easily decode those to deal with
the authentication....and if anyone does lurk around able to break the shared-secret
(which is plausible if you dont have control of the network, client , NAS etc)
then they'd be faced with a nice SHA1 or the same result as using SHA
for the shared-secret with no messing with code.


More information about the Freeradius-Users mailing list