Sending Access-Challenge instead of Access-Accept using MS-CHAPv2
Alan DeKok
aland at deployingradius.com
Thu Mar 16 14:42:56 CET 2017
> On Mar 13, 2017, at 9:47 AM, Lasse Odden <lasse.odden at gmail.com> wrote:
>
> I tried to add the same MS-CHAP2-Success attribute in the Access-Accept
> that the mschap modules sendt in the first authentication process where I
> had replaced the Access-Accept with an Access-Challengeand, and this
> worked.
That surprises me, to be honest.
> So I guess I can save the attribute and then send it again if the passcode
> is verified, but this does not seem like a very good solution.
If it works...
> But on the other hand, the encryption of the users passwords are needed.
Nonsense.
The passwords are encrypted on the wire. I have no idea why people are so dead-set against using PAP.
To be honest, PAP in RADIUS is *more* secure than MS-CHAP. MS-CHAPv2 can typically be cracked in a day:
https://www.helpnetsecurity.com/2012/07/31/researcher-releases-tool-for-cracking-ms-chapv2-pptp-no-longer-secure/
Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort. In contrast, the PAP encryption in RADIUS has *zero* cracks after almost 25 years.
Stop taking a naive approach to security. Use what the experts recommend, because they know rather a lot more about the situation than you do.
Alan DeKok.
More information about the Freeradius-Users
mailing list