PAP
The User-Password attribute in a
requesting
packet signals to the RADIUS server that the PAP protocol will be
used for that transaction. It’s important to note
that the only mandatory field in this case is the
User-Password field. The
User-Name field does not have to be included in
the requesting packet, and it’s entirely possible
that a RADIUS server along a proxy chain will change
the value in the User-Name field.
The algorithm used to hide the original user’s
password is composed of many elements. First, the client detects the
identifier and the shared secret for the original request and submits
it to an MD5 hashing sequence. The client’s original
password is put through the XOR process and the result coming from
these two sequences is then put in the
User-Password field. The receiving RADIUS server
then reverses these procedures to determine whether to authorize the
connection. The very nature of the password-hiding mechanism prevents
a user from determining if, when the authentication fails, the
failure was caused by an incorrect password or an invalid secret.
Most commercial RADIUS servers, though, include logic that looks at
the series of packets previously transmitted from the same client. If
a number passes through the connection correctly, most likely the
few
packets
that failed did so because of an incorrect password.