Actually that tech note is trying to tell you why you *CAN'T* use CHAP and RADIUS/UNIX combination. Apparently it is confusing? >I can create a profile on my 4k, and get chap working, but not with >radius. It is *NOT POSSIBLE* to use CHAP/RADIUS/UNIX on *any* box. See the attached - which I think the tech note was based on: </PRE> <PRE> > > RFC 1334 PPP Authentication October 1992 > > > > > > Implementation Note: CHAP requires that the secret be available in > > plaintext form. To avoid sending the secret over other links in > > the network, it is recommended that the challenge and response > > values be examined at a central server, rather than each network > > access server. Otherwise, the secret SHOULD be sent to such > > servers in a reversably encrypted form. > > > This seems to imply that the Ascend (as I suspect the Livingston does) > could use the Ascend-Secret to encrypt the clear text password, or even > send the clear text password if you choose to have it do so. Ascend-secret is an Ascend extension to RADIUS. It is used only in communications between NAS and RADIUS. People are forgetting who is communicating whith whom. A picture might help: +--------+ +-----+ +--------+ | remote |_________________| NAS |__________| RADIUS | | unit | | | | SERVER | +--------+ +-----+ +--------+ It makes no difference if the NAS is Ascend, Livingston, Cisco, USR, etc. Notes: 1) The remote unit shares a secret with the RADIUS server. This secret is NOT known by the NAS. I'll call this the remote/radius secret. 2) The NAS shares a secret with the RADIUS server. This secret is not known by the remote unit. I'll call this the nas/radius secret. Them is the rules. You can change them, but it is a new protocol, not CHAP, not PAP, not RADIUS. Given these rules: PAP Authentication: * remote unit sends secret IN THE CLEAR to the NAS * NAS encrypts remote/radius secret using nas/radius secret * RADIUS decrypts remote/radius secret using nas/radius secret * The RADIUS server now has a clear copy of the remote/radius secret which it could pass on to the UNIX (or any other) password validation system. CHAP Authentication: * NAS sends random (in Ascend's case 128 bit) challenge to remote unit. * remote unit calculates an MD5 digest using the remote/radius secret and the challenge (and the PPP packet id). The MD5 digest is sent to the NAS. The DIGEST is sent to the NAS, not the remote/radius secret. The NAS never has the secret, so it can't pass it on to RADIUS. * NAS forwards the digest, along with the original challenge (and PPP packet ID) to RADIUS. No encryption necessary as a snooper can not calculate the remote/radius secret even when given all the above info. That is the point of using MD5 -- it is a one way transform. You can not (they say) decode what has been coded. * RADIUS also can NOT extract the remote/radius secret. Since the secret can not be extracted, there is nothing to give to the unix password system. CHAP and UNIX authentication can not work. What RADIUS can do is: - look up the remote/radius secret assigned to the remote unit from a local database. - calculate an MD5 digest using the local version of the remote/radius secret plus the challenge (and PPP packet id) received from the NAS. - Compare the calculated MD5 digest with the digest received from the NAS. If the digests are the same then the secrets that went into MD5 on both the remote unit and the RADIUS server are the same, so the user is authenticated. That is how CHAP works on ALL RADIUS servers. // marc </PRE> <PRE> Kevin </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <!--X-Follow-Ups-End--> <!--X-References--> <HR> <STRONG>References</STRONG>: <UL> <LI><STRONG><A HREF="msg01310.html">(ASCEND) CHAP authentication - I hate to ask, but...</A></STRONG></LI> <UL> <LI><EM>From</EM>: "Troy Settle" <rewt@i-Plus.net></LI> </UL> </UL> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg01319.html">(ASCEND) Max4000 Digital Modem Driver for SGI</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg01318.html">Re: (ASCEND) [NAT] Who uses it ?</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg01313.html">Re: (ASCEND) CHAP authentication - I hate to ask, but...</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg01338.html">Re: (ASCEND) CHAP authentication - I hate to ask, but...</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="maillist.html#01320"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd51.html#01320"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>