Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: (ASCEND) CHAP, PAP presentation order
Michael
This problem also occurs with token cards as the response must not be
CHAP'd (which will occur by default) as the token servers need the
original passcode. We attach a short script to the windows dial-up
which forces PAP authentication. The only problems this introduces are
firstly administrative in getting the script onto all the PCs and
secondly ISDN must use V.120 so it is restricted to single channel. I
have looked in detail at Ascend and there is no way to change its
standard operation (as far as I can see) and I agree with other comments
that it would open a security hole if there was. I have also looked at
both Windows 95 and NT to see if CHAP can be disabled - and it can't as
far as I can tell. Bottom line, if you need both PAP and CHAP on the
Ascend then you need a script. If someone has a better solution I would
love to know.
Regards
Richard Denning
Cable & Wireless Communications
> -----Original Message-----
> From: Michael S. Fischer [SMTP:otterley@iPass.COM]
> Sent: Monday, October 12, 1998 9:49 PM
> To: ascend-users@bungi.com
> Subject: (ASCEND) CHAP, PAP presentation order
>
> Hi all,
>
> I have a question about CHAP/PAP auth requests as they relate
> to Ascend MAX TNT and 4004 NASes.
>
> My understanding is that Ascend NASes can be configured to send/accept
> PAP auth requests, CHAP auth requests, or both. Ascend NASes seem to
> be RFC-compliant in the sense that when configured to send/accept both
> CHAP and PAP auth requests, the NAS will request CHAP first, and,
> if NAKed by the client, then PAP.
>
> However, Windows PPP clients don't allow the user to NAK CHAP auth
> requests when they come in. This is a problem if an Ascend NAS is
> configured to send/accept both CHAP and PAP and the authenticator is a
> UNIX passwd file. The Ascend NAS will issue a CHAP request, the
> Windows client will accept it, and a whole challenge/response session
> will take place. CHAP is incompatible with UNIX passwd files,
> however, because it's impossible to compare the two hashes to
> determine if the user entered the correct password.
>
> One way around this is to disable CHAP in the NAS and send/accept PAP
> requests only. But that turns off an important capability--namely the
> security gained by CHAP that some sites require--they don't want their
> passwords travelling across the wire in the clear.
>
> The other, better, method, that I'd like to know how to do is to
> somehow force the Ascend NAS to present a PAP auth request first,
> then, if NAKed by the client, present a CHAP auth request. This works
> with Windows (and most other) clients because one can select "Require
> Encrypted Password" in a dialup profile and the client will NAK the
> PAP request and use CHAP instead.
>
> However, we've as yet found no way to swap the presentation order.
> When configured to use both CHAP and PAP, the NAS will *always*
> present CHAP first. Somehow, however, BBN seems to have found a way
> to fix the problem--their NASes present PAP first, then CHAP. We'd
> like to know how to do this.
>
> --Michael
>
> Michael S. Fischer <otterley@iPass.COM>
> |\ Sr. Systems/Network Administrator, iPass Inc.
> _O_
> | require Std::Disclaimer;
> |
> () Voice: +1 650 944 0333 FAX: +1 650 237 7321
> |
> "From the bricks of shame is built the hope"--Alan Wilder
> ++ Ascend Users Mailing List ++
> To unsubscribe: send unsubscribe to
> ascend-users-request@bungi.com
> To get FAQ'd: <http://www.nealis.net/ascend/faq>
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>