On Mar 13, 2017, at 9:47 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
I tried to add the same MS-CHAP2-Success attribute in the Access-Accept that the mschap modules sendt in the first authentication process where I had replaced the Access-Accept with an Access-Challengeand, and this worked.
That surprises me, to be honest.
So I guess I can save the attribute and then send it again if the passcode is verified, but this does not seem like a very good solution.
If it works...
But on the other hand, the encryption of the users passwords are needed.
Nonsense. The passwords are encrypted on the wire. I have no idea why people are so dead-set against using PAP. To be honest, PAP in RADIUS is *more* secure than MS-CHAP. MS-CHAPv2 can typically be cracked in a day: https://www.helpnetsecurity.com/2012/07/31/researcher-releases-tool-for-crac... Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort. In contrast, the PAP encryption in RADIUS has *zero* cracks after almost 25 years. Stop taking a naive approach to security. Use what the experts recommend, because they know rather a lot more about the situation than you do. Alan DeKok.