PAP and clear text

Michael Lecuyer mjl at theorem.com
Fri Sep 16 18:43:02 CEST 2005


You must have missed the information in RFC 2865 (RADIUS), which is also 
a Fine Manual.  The PAP password is XOR'd with the MD5 hash of the 
shared secret and the authenticator.

You've been reading about the protocol prior to the RADIUS client's 
involvment. The same thing applies to CHAP, just to head you off.

Chuck Slate wrote:
> Hi All.
> 
> I have a few freeRADIUS newbie questions for you.
> 
> I have always read and been told that PAP is insecure because it
> transmits passwords in clear text. However, If I sniff the communication
> between my NAS and server when PAP is used, the password is indeed
> obfuscated. It appears to be hashed.
> 
> So my questions are:
> 1) First and foremost, am I interpreting this correctly?
> 2) If so, is it the shared secret defined in the clients.conf file that
> is used as a key for the hash?
> 3) If not, any clue as to what I am seeing, and in that case, what is
> the shared secret used for?
> 
> As you can see, I am looking for some basic info about the flow of the
> connection.  I have taken an honest shot at RTFM, but have not come
> across these details yet.  Can someone please explain or point me to an
> explanation?
> 
> Thanks in advance.
> 
> 
> 
> 
> 
> Chuck
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 




More information about the Freeradius-Users mailing list