Hi,
I am using the TACACS+ code from FreeBSD to do authentication against the server from Tacacs.net. It works with PAP but fails with the CHAP protocol. Looking at the logs on the server side, it shows 'Data' contains the password in cleartext in failure case, whereas in success case (using the tool provided by Tacacs.net), the same 'Data' field contains a hashed value. So here are my questions:
-binlu
I am using the TACACS+ code from FreeBSD to do authentication against the server from Tacacs.net. It works with PAP but fails with the CHAP protocol. Looking at the logs on the server side, it shows 'Data' contains the password in cleartext in failure case, whereas in success case (using the tool provided by Tacacs.net), the same 'Data' field contains a hashed value. So here are my questions:
- I am calling tac_open()/tac_add_server()/tac_create_authen()/tac_set_user()/tac_set_data()/tac_send_authen() in sequence. Is there anything special that I need to do in calling tac_set_data() (to set the password)? I checked the FreeBSD TACACS+ code, it does not seem to have any code doing the data hash when the authentication protocol is CHAP.
- In the TACACS+ RFC, it says for outbound CHAP:
But I am not seeing the data field is a concatenation of the PPP ID and the challenge in the library code. Am I missing something?
-binlu