# TACACS+ auth using CHAP fails (against Tacacs.net server)



## blu2014 (Oct 9, 2014)

Hi,

I am using the TACACS+ code from FreeBSD to do authentication against the server from Tacacs.net. It works with PAP but fails with the CHAP protocol. Looking at the logs on the server side, it shows 'Data' contains the password in cleartext in failure case, whereas in success case (using the tool provided by Tacacs.net), the same 'Data' field contains a hashed value. So here are my questions:


I am calling tac_open()/tac_add_server()/tac_create_authen()/tac_set_user()/tac_set_data()/tac_send_authen() in sequence. Is there anything special that I need to do in calling tac_set_data() (to set the password)? I checked the FreeBSD TACACS+ code, it does not seem to have any code doing the data hash when the authentication protocol is CHAP.

In the TACACS+ RFC, it says for outbound CHAP:


> The entire exchange MUST consist
> of a single START packet and a single REPLY. The START packet MUST
> contain the username in the user field and the data field will be a
> concatenation of the PPP id and the challenge.


But I am not seeing the data field is a concatenation of the PPP ID and the challenge in the library code. Am I missing something?
Thanks a lot for any input.
-binlu


----------

