Re: (ASCEND) CHAP, PAP presentation order

To: ascend-users@max.bungi.com
Subject: Re: (ASCEND) CHAP, PAP presentation order
From: basher@alpha.ces.cwru.edu (Tim Basher)
Date: Tue, 13 Oct 98 23:26:55 EDT
Sender: owner-ascend-users@max.bungi.com

> Virtually all PPP clients out there can be configured to reject PAP in
> favour of CHAP.  Not all of them, however--including a huge installed
> Windows client base--can reject CHAP.  This is a huge problem if you
> require PAP to dial in because an authenticator doesn't store its passwords
> in plaintext, yet you still want to offer CHAP for those authenticators
> who do.

I am sorry, but the fact that one or more PPP implementations are inadequate,
is not a good enough reason for every PPP implementor to ignore the standards.
The idea that the most broken implementation should decide how a standard
should be interpretted is revolting.

You have a number of options which can be used.  None of which require anyone
to violate an IETF standard.

#1 - Don't use a PPP authentication method - use the terminal server,
     optionally along with a script.  This will automatically force
     the RADIUS server to use the equivalent of PAP.

#2 - Don't use an inadequate PPP implementation.  There is more than one
     PPP on the market and many have the ability to specify the auth method
     a client is willing to accept.

#3 - Complain to the vendor of the inadequate PPP implementation and get
     them to provide the desired functionality.  Point out the reasons
     for your requirement and point to the relevant standards.

#4 - Make sure that any one wanting to offer roaming services provides
     a non-encrypted database option for roaming users to prevent the
     problem.

> I think the presentation order issue is irrelevant in terms of its
> security implications.  However, I invite you to correct me if you can
> prove otherwise.

If you feel it is irrelevant, I invite you to send a note with that claim
to the PPPEXT-WG mailing list, or the PPPEXT-WG chair <karl@Ascend.com>,
or to Bill Simpson <wsimpson@GreenDragon.com>, the author of RFC 1334.
I am sure they would be interested in updating the RFC if this is true.

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: RE: (ASCEND) CHAP, PAP presentation order
Next by Date: Re: (ASCEND) Starting AAC automatically on NT4.0
Prev by thread: Re: (ASCEND) CHAP, PAP presentation order
Next by thread: RE: (ASCEND) CHAP, PAP presentation order
Index(es):
- Main
- Thread