Sniffing PAP/CHAP

[Roland Perry]

A posting on uk.telecom has reminded me about PAP/CHAP authentication,
where unless I am mistaken the username and password are exchanged over
the network in encrypted form. How then will a passive interception
system "sniff" the necessary information form the RADIUS server sessions
to identify the suspect's session ?

This isn't new, an ISP I helped found in 1995 used exclusively PAP/CHAP,
although I got the impression it may have been the first.
-- 
Roland Perry