converting pap to chap

Alan DeKok aland at deployingradius.com
Thu Sep 13 07:27:08 CEST 2007


Stefan Kronawithleitner wrote:
> The existing setup is a freeradius 1.1.6, allowing auth from a NAS and
> PEAP against an eDirectory (ldap) userbase, which works fine. However,
> users of another realm should be proxied to another radius-server -
> which works fine for PEAP, but failes from the NAS, because the NAS can
> do only PAP - which is not allowed on the other radius-server.

  The other RADIUS server is either broken, or the administrators are
being ridiculous.

  For a host of reasons, PAP is actually *better* than CHAP.  It's not
just easier to manage.  It can actually be more secure in many cases!

> I read through the changelogs, finding nothing like that - has there
> been a change? Is it possible to convert PAP to CHAP? Howto?

  It's possible.  You'll have to write some code.  It's not hard.

  See rlm_example for writing a module.  See radclient for how to
convert a cleartext password into a CHAP password.  rad_chap_encode(..)

 Alan DeKok.



More information about the Freeradius-Users mailing list