pap/peap confusion
Phil Mayers
p.mayers at imperial.ac.uk
Wed Feb 14 22:41:58 CET 2007
Matt Ashfield wrote:
> I'm pouring through the alphabet soup of all of this and have a few
> questions that keep popping up.
>
> During a pap conversation, the radius server ends up with the
> username/password passed to it from the client. It then encrypts the
> password to match the encryption of the stored password in ldap (or other
> directory) and tries a bind. Correct?
Yes
>
> During a PEAP conversation, the radius server also would end-up with a
> username/password received from the client (either via clear-text or via the
> mschap conversation). Why can it not then encrypt the password just like PAP
> did? Does it do the comparison to LDAP stored passwords via MSCHAP as well?
No, miles off.
During a PEAP/MS-CHAP conversation, the server ends up with:
challenge == random bytes
response == HASH(challenge, HASH(password))
If the server has any of:
* the plaintext password
* HASH(password) i.e. the NT or LM hashes
* access to a domain controller which has the NT/LM hashes
...it can check the challenge and response match and that the client is
who they say they are.
More information about the Freeradius-Users
mailing list