Hi,
I am using the TACACS+ code from FreeBSD to do authentication against the server from Tacacs.net. It works with PAP but fails with the CHAP protocol. Looking at the logs on the server side, it shows 'Data' contains the password in cleartext in failure case, whereas in success case (using the tool provided by Tacacs.net), the same 'Data' field contains a hashed value. So here are my questions:
-binlu
I am using the TACACS+ code from FreeBSD to do authentication against the server from Tacacs.net. It works with PAP but fails with the CHAP protocol. Looking at the logs on the server side, it shows 'Data' contains the password in cleartext in failure case, whereas in success case (using the tool provided by Tacacs.net), the same 'Data' field contains a hashed value. So here are my questions:
- I am calling tac_open()/tac_add_server()/tac_create_authen()/tac_set_user()/tac_set_data()/tac_send_authen() in sequence. Is there anything special that I need to do in calling tac_set_data() (to set the password)? I checked the FreeBSD TACACS+ code, it does not seem to have any code doing the data hash when the authentication protocol is CHAP.
- In the TACACS+ RFC, it says for outbound CHAP:
The entire exchange MUST consist
of a single START packet and a single REPLY. The START packet MUST
contain the username in the user field and the data field will be a
concatenation of the PPP id and the challenge.
-binlu