From: Scott Morris (swm@emanon.com)
Date: Mon Jul 25 2005 - 21:56:11 GMT-3
I believe it tells you in the docs that it won't work with CHAP. The
problem there being that the username is pre-encrypted and the router can't
unencrypt it in order to re-hash/encrypt it with other in formation for the
CHAP response. :)
This was something discovered after the lab guys' updates to 7.0 were done
and I made sure they were corrected for the 7.1 stuff.
Scott
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gustavo Novais
Sent: Sunday, July 24, 2005 12:31 PM
To: lab
Subject: user <user> secret <password> and CHAP doubt
Hello
I'm doing a lab on which the requirement is that we use CHAP authentication,
but on one of the involved routers the username for the remote must be
stored as such you shouldn't be able to decode the password from the config.
This points me to user XXX secret pass, which encrypts the pass with MD5.
The thing is, as stated on
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft
/121limit/121e/121e8/8e_md5.htm
CHAP doesn't "like" that we store the passwords as MD5, It needs them to be
on plain text so he can derive its own md5 challenge.
I can turn around the issue by simply not authenticating the remote side,
thus no need of local username, and then it can be whatever I want. But I
think this ugly...
this appeared on IPexpert challenge 26, ISDN question.
Any thoughts?
TIA
Gustavo
PS. I can also see what is the hash of the password and use the hash instead
of the password, and store it as plain text, but this would be even
uglier...
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3