RadiusNT 2.22.41: Strange PAP/CHAP and NT problem

Darryl Ackernecht ( dackernecht@darefoods.com )
Wed, 4 Feb 1998 17:21:23 -0500

We use Cisco 2509/2511s running Radius in text mode. We have been
hard-coding passwords in the users file, but are now trying to get NT
authentication working. We have been using CHAP on the Ciscos.

If we test a user with a hard-coded password, both via radlogin and via a
PPP connection with the Cisco, authentication works.

When we take the same user, and change the password to point to
"WINNT\DOMAIN" (where DOMAIN is our NT domain), radlogin authentication
works, but PPP via the Cisco fails. The only difference that I could see
between using radlogin vs the Cisco was that radlogin uses PAP, and our
Cisco is setup for CHAP. Setting the Cisco to use PAP resolves the problem.

I don't really understand why this would make a difference? Also, I'm not
sure if it is that big of problem using PAP - doesn't radius perform
encryption between the client and server?

Any comments would be appreciated.

Darryl Ackernecht