Re: (ASCEND) CHAP, PAP presentation order

To: ascend-users@max.bungi.com
Subject: Re: (ASCEND) CHAP, PAP presentation order
From: basher@alpha.ces.cwru.edu (Tim Basher)
Date: Mon, 12 Oct 98 18:44:26 EDT
Sender: owner-ascend-users@max.bungi.com

> The other, better, method, that I'd like to know how to do is to
> somehow force the Ascend NAS to present a PAP auth request first,
> then, if NAKed by the client, present a CHAP auth request.

It would be a violation of the relevant IETF standards.  These standards
require a PPP implementation offering both PAP and CHAP authentication
to offer CHAP first.

To quote from RFC 1334:

   Any implementations which include a stronger authentication method
   (such as CHAP, described below) MUST offer to negotiate that method
   prior to PAP.

   MUST
      This word, or the adjective "required", means that the definition
      is an absolute requirement of the specification.

To fail to do this would be insecure and a violation of an explicit
requirement.  I would be *VERY* upset with Ascend or any other vendor
who violated this basic security rule.

The basic facts are:
 #1 - if you want to use the UNIX password file, then you cannot use CHAP.  
 #2 - if you cannot use CHAP then you should disable it and only offer PAP.

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: Re: (ASCEND) Two P400s
Next by Date: (ASCEND) CHAP, PAP presentation order
Prev by thread: (ASCEND) CHAP, PAP presentation order
Next by thread: Re: (ASCEND) CHAP, PAP presentation order
Index(es):
- Main
- Thread