Is it possible to log the Dial-In user password?

Brian Candler B.Candler at pobox.com
Thu Apr 19 13:04:41 CEST 2012


On Wed, Apr 18, 2012 at 07:19:42PM +0700, Fajar A. Nugraha wrote:
> On Wed, Apr 18, 2012 at 7:05 PM, Henrik Karlsson
> <Henrik.Karlsson at generic.se> wrote:
> >
> > Hi,
> >
> > I need to log the Dial-In users Password and I wonder if it is possible to
> > do that in a freeRADIUS server?
> 
> yes, if the user uses pap.

And for CHAP, you can log CHAP-Challenge and CHAP-Response. Those values are
sufficient to be able to tell afterwards whether the user used a given
password or not. (i.e. you can test "did they use password '123456'"?)

You can also make a dictionary attack to try to determine what password they
used, which will often succeed if it's a simple password.


More information about the Freeradius-Devel mailing list