Re: (ASCEND) CHAP, PAP presentation order

To: ascend-users@bungi.com
Subject: Re: (ASCEND) CHAP, PAP presentation order
From: "Michael S. Fischer" <otterley@iPass.COM>
Date: Mon, 12 Oct 1998 22:02:49 -0700
Organization: iPass Inc., Mountain View, CA, USA
Sender: owner-ascend-users@max.bungi.com

In message <199810122244.SAA02720@fox.CES.CWRU.Edu>, Tim Basher writes:

>> The other, better, method, that I'd like to know how to do is to
>> somehow force the Ascend NAS to present a PAP auth request first,
>> then, if NAKed by the client, present a CHAP auth request.
>
>It would be a violation of the relevant IETF standards.  These standards
>require a PPP implementation offering both PAP and CHAP authentication
>to offer CHAP first.

I'm well aware of what the RFC says, and I mentioned that in my first
post.  And I know I'm probably upsetting a lot of people by daring to
say that the RFC requirements are impractical and that I *need* to
violate them.  I'll explain below.

[snip]

>To fail to do this would be insecure and a violation of an explicit
>requirement.  I would be *VERY* upset with Ascend or any other vendor
>who violated this basic security rule.

I'm don't necessarily agree that presenting a less-secure
authentication protocol first is a security problem.  Virtually all
PPP clients out there can be configured to reject PAP in favour of
CHAP.  Not all of them, however--including a huge installed Windows
client base--can reject CHAP.  This is a huge problem if you require
PAP to dial in because an authenticator doesn't store its passwords in
plaintext, yet you still want to offer CHAP for those authenticators
who do.

I think the presentation order issue is irrelevant in terms of its
security implications.  However, I invite you to correct me if you can
prove otherwise.

>The basic facts are:
> #1 - if you want to use the UNIX password file, then you cannot use CHAP.  

Well, duh. :>

> #2 - if you cannot use CHAP then you should disable it and only offer PAP.

This is beyond our control.  iPass does not own any of the NASes the
users dial in to--they are owned by the partners we pay for use of
their network.  In doing so, we have to instruct each NAS provider on
the best means to support all types of authentication databases,
including plaintext, LDAP, UNIX password files, and NT SAM.  We have
to be able to tell people using plaintext files that they can force
CHAP on their clients, while at the same time telling people who use
UNIX or NT SAM databases that they can use PAP.  And the only
practical way to support all of this, given the limitations of the
Microsoft DUN setup, is to offer PAP first, then CHAP.

Cisco can do it.  Livingston can do it.  Why not Ascend?

I hope I've made myself clear, and I really could use anyone's help
who have done this, because I know that GTE/BBN has been able to do
it on theirs.

--Michael

                 Michael S. Fischer <otterley@iPass.COM>            
 |\           Sr. Systems/Network Administrator,  iPass Inc.          _O_ 
 |                       require Std::Disclaimer;                      |
()            Voice: +1 650 944 0333    FAX: +1 650 237 7321           |
        "From the bricks of shame is built the hope"--Alan Wilder

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: RE: (ASCEND) CHAP, PAP presentation order
Next by Date: Re: (ASCEND) P75 Software. Where is 6.1.7 ??
Prev by thread: Re: (ASCEND) CHAP, PAP presentation order
Next by thread: RE: (ASCEND) CHAP, PAP presentation order
Index(es):
- Main
- Thread