pap/peap confusion

Matt Ashfield mda at
Wed Feb 14 21:05:13 CET 2007

I'm pouring through the alphabet soup of all of this and have a few
questions that keep popping up.

During a pap conversation, the radius server ends up with the
username/password passed to it from the client. It then encrypts the
password to match the encryption of the stored password in ldap (or other
directory) and tries a bind. Correct?

During a PEAP conversation, the radius server also would end-up with a
username/password received from the client (either via clear-text or via the
mschap conversation). Why can it not then encrypt the password just like PAP
did? Does it do the comparison to LDAP stored passwords via MSCHAP as well?

Thanks for any info.

mda at

More information about the Freeradius-Users mailing list