Stefan Kronawithleitner wrote:
The existing setup is a freeradius 1.1.6, allowing auth from a NAS and PEAP against an eDirectory (ldap) userbase, which works fine. However, users of another realm should be proxied to another radius-server - which works fine for PEAP, but failes from the NAS, because the NAS can do only PAP - which is not allowed on the other radius-server.
The other RADIUS server is either broken, or the administrators are being ridiculous. For a host of reasons, PAP is actually *better* than CHAP. It's not just easier to manage. It can actually be more secure in many cases!
I read through the changelogs, finding nothing like that - has there been a change? Is it possible to convert PAP to CHAP? Howto?
It's possible. You'll have to write some code. It's not hard. See rlm_example for writing a module. See radclient for how to convert a cleartext password into a CHAP password. rad_chap_encode(..) Alan DeKok.