[RADIATOR] PAP and CHAP

Heikki Vatiainen hvn at open.com.au
Fri Oct 21 03:35:58 CDT 2011 

On 10/21/2011 11:21 AM, M P wrote:

> May I know how to determine the incoming Access-Request is whether a PAP
> or CHAP? What are the things to consider in CHAP?

You check for the presence of CHAP-Password attribute. Here's an example
showing the difference between PAP and CHAP.

% ./radpwtst -trace 4 -noacct
Fri Oct 21 11:32:49 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Fri Oct 21 11:32:49 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 79
Authentic:  L}!<139><26>/<14>mC<27><229>S"\<<252>
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	User-Password = Pdr<243><193><25>,<128><198><183>=.<130><211>s$


% ./radpwtst -trace 4 -noacct -chap
Fri Oct 21 11:32:52 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Fri Oct 21 11:32:52 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 82
Authentic:  ^<146>+<222><249><213><128>K;<171><148>0<218><241>X<158>
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	CHAP-Password =
5S<170><235><146><30><135><252><190><135><244>.cx<249><173>~
	CHAP-Challenge = 1234567890123456


> I am currently using an AuthBy EXTERNAL for PAP with the following
> configuration:
> 
> <Handler Realm=testing>
>     <AuthBy EXTERNAL>
>         RejectEmptyPassword
>         DecryptPassword
>         Command /usr/local/sbin/radiator-auth
>         Fork
>     </AuthBy>
>     RejectHasReason
> </Handler>
> 
> Now, I want the external command to support both PAP and CHAP. Right
> now, PAP works fine already. I'm not sure yet how to extend the support
> for CHAP that will co-exist on the same script as on the current one.

Try extending your external command to watch for CHAP-Password and then
act accordingly for CHAP authentication if the attribute is present.

Thanks!
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list