Alan Alejandro Villaverde wrote:
> The only way I found to make it works is setting the following lines in
> the user file:
>
> vi users:
>
> avillaverde Auth-Type := MSCHAP, Cleartext-Password = "123456"
Don't do that. You were told to not do that. It's not necessary.
It's wrong.
> It works, but how do you handle 1000 users for example? It turns very
> difficult to manage the user passwords.
You put the passwords in a database. That's what databases are for,
> For instance, if the user change the password in the linux box, then you
> need to edit the users file to replicate that password.
i.e. you store the passwords in 2 places, so when the password
changes, it has to be changed in both places.
That's not a surprise.
> I have running tacacs+ in the same box, and the user only has to use an
> unique password for radius and tacacs defined by passwd. I am using PAM
> authentication for this.
I have no idea what that means.
> On the other hand, If I work with PAP I can handle the users like a
> Linux user, so the managament is easier and it depends on the final
> user. The user can access the linux box and change his password with a
> simple passwd and all is replicated for tacacs and freeradius. It is the
> way how is working today, but I was requested to set MSCHAP
> authentication due to security audits.
MS-CHAP isn't much more secure than PAP.
> When user try to access wireless controller, he puts his password and
> then radius checks the password with the passwd file or shadow file
> without any necesity of "editing radius users file"
MS-CHAP is incompatible with /etc/passwd. It's impossible to use them
both.
> I think I am missing something regarding how to set MSCHAP
> authentication, and that radius checks the password without using
> Cleartext-Password in the USERS file.
The server doesn't care where it gets the password from. It doesn't
matter if it's the "users" file, a database, or anywhere else.
The server DOES care about the format of the password. MS-CHAP
requires clear-text passwords, *or* NT hashed passwords. Neither format
can be stored in /etc/passwd.
It's impossible to "work around" this. Don't even try.
Alan DeKok.
,JL. j@, Zv uJ.u@qJ :LBO:v1 :r1@ MB G1 rB8Ur , r@Ei O .7 @. :N,:BBO05v,:, :7 u Or vM@r:E: rqr,: .v X Or 7@r v@U ,@::: 5 .L M: YO:2@OS. . .7: N iP Y@riBr ,:i::: :q ,q. qk :ii YO. iv7r77r iGF :7v7 :u0u. 7Lj ;5k1r7BN 7P552552v: LUM1, 7FUi:..v@B ik7JMJ. ..,v@rk. _..._ Y8. vL: .5@v E. .' '. ui,N: .G.O@: @ / _ _ \ .P: J7LEBO Bi | (o)_(o) | .1 i@B7 .MU \( ) / 2 :M@u .uMi //'._.'\ \ :k :U@BOi:vSM2B // . \ \ 7E@B@B@O8PrMk ;B || . \ \ @: @r |\ : / | EM. ;@ \ `) ' (` /_ .B7 0L _)``".____,.'"` (_ ..,:i;7vjuFXZEOMMBBL:::.rB@B@B@ ) )'--'( ( .,::ir77vvJjuu2UF5SS00GZOMBB@B@B@B@B@B@ '---` `---` ::iirr77rrr77vLLLjuu25FXPNZGMOOO@B@B@B@B@@@B@B@B@B :i:i::,:,i,:,:.:.:.:.:.:.:.,.,.,............. ...