[freeradius+mysql]pap method
Fajar A. Nugraha
list at fajar.net
Tue Aug 2 07:41:42 CEST 2011
2011/8/2 gary <gary.yang at browan.com>
>
> Hi All
> I configure the NAS client as pap method for user authentication.
> But through the packet analysis by wireshark it appears "Encrypted".
To debug radius problems, it's much easier and informative to run
debug mode (radiusd -X) instead of using packet sniffers.
> Is it normal or any incorrect configure on NAS or Freeradius server?
Yup, that's normal. From http://www.ietf.org/rfc/rfc2865.txt :
Network Security
Transactions between the client and RADIUS server are
authenticated through the use of a shared secret, which is never
sent over the network. In addition, any user passwords are sent
encrypted between the client and RADIUS server, to eliminate the
possibility that someone snooping on an unsecure network could
determine a user's password.
If the shared server is correct, the radius server will be able to see
the password as clear-text (i.e. unencrypted, exactly the way user
enters it). This is different from (for example) mschapv2, where the
radius server can't see what the clear-text password is by simply
looking at what the client sent.
--
Fajar
More information about the Freeradius-Users
mailing list