converting pap to chap
Hello, I have a little problem concerning proxying of pap-auths. The existing setup is a freeradius 1.1.6, allowing auth from a NAS and PEAP against an eDirectory (ldap) userbase, which works fine. However, users of another realm should be proxied to another radius-server - which works fine for PEAP, but failes from the NAS, because the NAS can do only PAP - which is not allowed on the other radius-server. It is not possible to make CHAP-Auth from the NAS or allow PAP on the other side (which is not under my control). So far, so bad. But theoretically it should be possible, to convert a PAP-Auth to a CHAP-Auth - so i did a search in the archives and found some threads of users with the exact same problem. There was a conversation in 2003 between someone submitting a patch for a module and Alan DeKok - talking about the best solution, but there never was a conclusion - only that it is not possible without code modification. I read through the changelogs, finding nothing like that - has there been a change? Is it possible to convert PAP to CHAP? Howto? Thanks in advance, Stefan
Stefan Kronawithleitner wrote:
The existing setup is a freeradius 1.1.6, allowing auth from a NAS and PEAP against an eDirectory (ldap) userbase, which works fine. However, users of another realm should be proxied to another radius-server - which works fine for PEAP, but failes from the NAS, because the NAS can do only PAP - which is not allowed on the other radius-server.
The other RADIUS server is either broken, or the administrators are being ridiculous. For a host of reasons, PAP is actually *better* than CHAP. It's not just easier to manage. It can actually be more secure in many cases!
I read through the changelogs, finding nothing like that - has there been a change? Is it possible to convert PAP to CHAP? Howto?
It's possible. You'll have to write some code. It's not hard. See rlm_example for writing a module. See radclient for how to convert a cleartext password into a CHAP password. rad_chap_encode(..) Alan DeKok.
participants (2)
-
Alan DeKok -
Stefan Kronawithleitner