Re: (ASCEND) PAP and CHAP with TNT

[Jim Segrave <jes@nl.demon.net>]

Oliver Stettner wrote:
> Jim Williams wrote:
> 
> > The problem with CHAP is that we have 9000 subscribers and have been doing
> > PAP from day one with shadow passwords...ALL passwords are currently
> > encrypted so putting them in a users file will take months to try to
> > capture the passwords on top of which having a file full of plain text ids
> > and passwords is somewhat of a security risk...that was the whole reason
> > behind shadow passwords and encryption on /etc/passwd.
> 
> So if I got that right, the TNTs are not administered by you but by
> UUnet. The UUnet TNTs contact your RADIUS server for authentication.
> UUnets TNT do chap and pap. And you have encrypted passwords on your
> radius servers.
> 
> In that case I guess you have no possibilty. At least non I know of. :-(

What happens if your Radius server includes in its response:

ATTRIBUTE       Ascend-Send-Auth                231     integer
with the value set to
VALUE   Ascend-Send-Auth                Send-Auth-PAP           1

This should, I hope, cause the negotiation to restirct itself to PAP

-- 
Jim Segrave           jes@nl.demon.net
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>