(RADIATOR) secret key usage in combination with CHAP/PAP

Hugh Irvine hugh at open.com.au
Fri Apr 11 02:32:19 CDT 2003 

Hello Mohamed -

What you describe is correct, according to the Radius RFC's.

It is somewhat confusing I agree.

Have a look at section 2.2 of RFC2865 ("doc/rfc2865.txt").

I have copied this mail to Mike for further comments.

regards

Hugh


On Friday, Apr 11, 2003, at 17:18 Australia/Melbourne, mohamed wrote:

>  
>
> Hi
>
>  
>
> The secret key allows the communication between the client and the  
> radius server, this is also mentioned in the manual:
>
>  
>
> <Client DEFAULT>
>
>     # Configuration parameters for the Client go here
>
>      .....
>
> </Client>
>
  Hint: The configuration file will usually contain the  shared secrets  
that allow your Radius clients to communicate with the Radiator Radius  
server.
>
>  
>
>  
>
> From the Hint above I can conclude that client with a wrong secret key  
> will not be accepted to communicate with it. This communication  
> security between the clients and the server must be performed in  
> combination with every PPP protocol (PAP or CHAP). The secret key is  
> also used to encrypt the PAP clear text password, this is not applied  
> for CHAP.
>
>  
>
> In our test we have configured different secret key in the client side  
> the proxy radius server, see the setup below:
>
>                                                                         
>             
>
> Client ------------------------ Proxy Radius------------------------  
> Authentication Radius
>
>  
>
>  
>
> We expect that there will be no communication possible between the  
> Client and the Proxy, unfortunately the test results proves the  
> opposite. We did two test scenarios for PAP and CHAP:
>
>  
>
> PAP: the communication is possible end-to-end from the client through  
> the proxy to the authentication radius. The reply is an ACCESS-REJECT,  
> because of the secret encryption and decryption with different keys  
> between the client and the proxy, this is understandable.
>
>  
>
> CHAP: the communication is possible end-to-end from the client through  
> the proxy to the authentication radius. The reply is in this case an  
> ACCESS-ACCEPT! Note that the secret are still different between the  
> Client and the proxy. This is not understandable.
>
>  
>
> Conclusion:
>
> I can conclude the secret key is not used to allow the communication  
> between the client and Radius and only used the encrypt the PAP  
> password. I am now confused about the working of the secret key, can  
> you clarify this to me.
>
>   
>
>  
>
>  
>
>  
>
>  
>
>  
>
> With Kind Regards
>
>  
>
> Mohamed Majdoubi
>
> System Engineer
>
> KPN Telecom
>
>  
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 5499 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030411/a68f02c8/attachment.bin>

More information about the radiator mailing list