pap/peap confusion

Alan DeKok aland at
Wed Feb 14 21:23:12 CET 2007

Matt Ashfield wrote:
> During a pap conversation, the radius server ends up with the
> username/password passed to it from the client. It then encrypts the
> password to match the encryption of the stored password in ldap (or other
> directory) and tries a bind. Correct?

  No.  LDAP bind is done using the clear-text password supplied by the
user in the Access-Request.

  If the "known good" password is stored *hashed* in a DB, then
FreeRADIUS isn't doing "LDAP bind".  Instead, it pulls the hashed
password from the DB, hashes the password in the Access-Request, and
compares the two hashes.

> During a PEAP conversation, the radius server also would end-up with a
> username/password received from the client (either via clear-text or via the
> mschap conversation).

  It's almost always MS-CHAP.

> Why can it not then encrypt the password just like PAP
> did? Does it do the comparison to LDAP stored passwords via MSCHAP as well?

  If the LDAP server supplies the clear-text password to FreeRADIUS,
yes.  If it doesn't, LDAP bind won't work, because the Access-Request
doesn't contain a clear-text password.

  And since LDAP servers don't do MS-CHAP, you're left with somehow
getting FreeRADIUS to do the job, which means supplying it with the
cleartext password.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list