Re: [Help-gnu-radius] MS-CHAP

[Michael Samanov]

----- Original Message -----
From: "Sergey Poznyakoff" <address@hidden>
To: "Michael Samanov" <address@hidden>
Cc: <address@hidden>
Sent: Monday, December 02, 2002 6:06 PM
Subject: Re: [Help-gnu-radius] MS-CHAP


> > As I can see, MS-CHAP (RFC 2548) is not implemented. So, Microsoft Point
to
> [...]
> > Sergey, are there any plans to implement this?
>
> No, there are not.

Many pities... I'll try to appeal to Microsoft so that they would implement
MPPE using CHAP auth :-)

I'll try to explain what's the need to have the authentification of this
kind, maybe somebody will help me.

There is a FreeBSD box serving dedicated lines with MS clients on the remote
ends. Channels may be Ethernet or radio, so connection needs to be
point-to-point and encrypted. To keep things simple you need to use PPTP.
There are two ways for it: mpd or poptop+ppp. If you use their built-in
authentification then you have to use some kind of wraparounds for
accounting, and when you use Radius you can't use traffic encryption because
of the nature of the well-windowed ends.

> > What's the reason not to use "Auth-Type = Local, Password-Location =
SQL" in
> > the "DEFAULT" label of "users" file?
>
> What exactly do you mean?

It's not possible to use "Auth-Type = Local, Password-Location = SQL" in the
DEFAULT label, is it? So one has to put the each and every CHAP login into
"users" file.

> > Is there any workaround to make away with the necessity to put down
every
> > user name into "users"?
>
> Yes, there is. Use SQL authentication.

These ways are not equal. Either I don't understand things properly or CHAP
auth doesn't work in this case while using PAP is the security breach.

P.S. Proper question is almost answer itself. I found that FreeRADIUS can
serve MS-CHAP-* requests. So, though I found the answer and anyone need not
to reply, but nevertheless I decided to post this. May be it will help to
somebody.

Sincerely yours,
  Michael (mailto:address@hidden)