(RADIATOR) How to return the challenge with "AuthBy OPIE"?

Ken Bell kenbell at panix.com
Wed Nov 3 12:40:42 CST 2004 

Hi Mike,

Thank you for your quick reply.  I finally heard back from CheckPoint
support on this issue, and they claim that it's up to the RADIUS
server, not the NAS, to determine whether to use PAP or CHAP.  They
wrote:  "The CHAP, PAP is all configured on the RADIUS server
side-not on the FW-1 side +the firewall uses UDP port ONLY to talk
to RADIUS."  And, a bit further on after a basic description of
PAP and CHAP RADIUS authentication, they write:  "There is no such
option to configure CHAP, PAP, EAP on the firewall."

However it may be that using CHAP is fine anyhow:  today, using
"radpwtst" with the "-chap" option, I find that Radiator returns
an OPIE Challenge when presented with an empty password string.

The earlier problem was that I couldn't enter an empty string for
the password via the FW-1 interface - it doesn't send anything at
all until some non-empty string is entered.  Ah, the benefits of
having Radiator's source code :-)  I therefore modified AuthOPIE.pm
to test the password against a special string in place of the empty
string, ''.  After doing that, I see that the Radiator log indicates
that it sent FW-1 the OPIE Challenge.

However, FW-1 appears to be noncompliant with RFC-2865, in that it
neither displays the OPIE Challenge to the user, nor does it return
an Access-Reject, but instead issues the curious response, "RADIUS
servers not responding".

I'm assuming that it would be compliant with RFC-2865 for a NAS to
accept and display the OPIE Challenge in a CHAP session, just as
it may do so in a PAP session.  If so, then it appears that I now
have to take this problem back to CheckPoint.  Your comment on this
point (either confirming or correcting my understanding with respect
to using CHAP and sending the OPIE Challenge back to the NAS) would
be appreciated.

Again, thank you very much for your help.

                                                  Ken
-- 
Ken Bell :: kenbell at panix.com   :: (212) 475-4976 (voice)

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list