Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(ASCEND) CHAP, PAP presentation order
Hi all,
I have a question about CHAP/PAP auth requests as they relate
to Ascend MAX TNT and 4004 NASes.
My understanding is that Ascend NASes can be configured to send/accept
PAP auth requests, CHAP auth requests, or both.  Ascend NASes seem to
be RFC-compliant in the sense that when configured to send/accept both
CHAP and PAP auth requests, the NAS will request CHAP first, and,
if NAKed by the client, then PAP.
However, Windows PPP clients don't allow the user to NAK CHAP auth
requests when they come in.  This is a problem if an Ascend NAS is
configured to send/accept both CHAP and PAP and the authenticator is a
UNIX passwd file.  The Ascend NAS will issue a CHAP request, the
Windows client will accept it, and a whole challenge/response session
will take place.  CHAP is incompatible with UNIX passwd files,
however, because it's impossible to compare the two hashes to
determine if the user entered the correct password.
One way around this is to disable CHAP in the NAS and send/accept PAP
requests only.  But that turns off an important capability--namely the
security gained by CHAP that some sites require--they don't want their
passwords travelling across the wire in the clear.
The other, better, method, that I'd like to know how to do is to
somehow force the Ascend NAS to present a PAP auth request first,
then, if NAKed by the client, present a CHAP auth request.  This works
with Windows (and most other) clients because one can select "Require
Encrypted Password" in a dialup profile and the client will NAK the
PAP request and use CHAP instead.
However, we've as yet found no way to swap the presentation order.
When configured to use both CHAP and PAP, the NAS will *always*
present CHAP first.  Somehow, however, BBN seems to have found a way
to fix the problem--their NASes present PAP first, then CHAP.  We'd
like to know how to do this.
--Michael
                 Michael S. Fischer <otterley@iPass.COM>            
 |\           Sr. Systems/Network Administrator,  iPass Inc.          _O_ 
 |                       require Std::Disclaimer;                      |
()            Voice: +1 650 944 0333    FAX: +1 650 237 7321           |
        "From the bricks of shame is built the hope"--Alan Wilder
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>