(RADIATOR) secret key usage in combination with CHAP/PAP

Hugh Irvine hugh at open.com.au
Tue Apr 29 18:07:50 CDT 2003 

Hello Mohamed -

Thanks for sending the debug.

What you observe is "correct" as far as Radiator (and the radius 
protocol) is concerned.

When using CHAP there is no way to determine whether or not the shared 
secrets match.

I have copied Mike on this mail for further comments.

regards

Hugh


On Wednesday, Apr 30, 2003, at 00:11 Australia/Melbourne, mohamed wrote:

> Hi Hugh,
>
>  
>
> Sorry for the delay. Below you can find the configuration file and the 
> logfile output in case of CHAP and PAP.
>
>  Note that this test is done in combination with a wrong secret.
>
>  
>
> With Kind Regards
>
> Mohamed
>
> __________________________________________
>
> Configuration file
>
>  
>
> LogDir /opt/Radiator/log
>
> DbDir /opt/Radiator/
>
> #AcctDir /opt/APPradiator/log
>
> Trace          4
>
> AcctPort 1813
>
>  
>
> AuthPort 1812
>
> LogFile
>
>  
>
> <Client DEFAULT>
>
>        Secret         test
>
>        DupInterval    0
>
> </Client>
>
>  
>
> <Log FILE>
>
>        Filename       %L/logfile-%Y-%m-%d
>
>        Trace          5
>
> </Log>
>
>  
>
> <Realm DEFAULT>
>
>        
>
>        RejectHasReason
>
>        <AuthBy FILE>
>
>                NoDefault
>
>                Filename %D/users
>
>        </AuthBy>
>
>        
>
> </Realm>
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
> ______________________________________
>
> Output of an access-accept in case of CHAP:
>
>  
>
>  
>
> Tue Apr 2915:23:59 2003: DEBUG: Packet dump:
>
> *** Received from 127.0.0.1 port 1059 ....
>
> Code:      Access-Request
>
> Identifier: 88
>
> Authentic: 1234567890123456
>
> Attributes:
>
>        User-Name = "user2 at isp2"
>
>        Service-Type = Framed-User
>
>        NAS-IP-Address = 203.63.154.1
>
>        NAS-Port = 1234
>
>        NAS-Port-Type = Async
>
>        CHAP-Password = 
> 5?K<9><199><204><157><145><187>s.<180>hR<133><253><161>
>
>        CHAP-Challenge = 1234567890123456
>
>  
>
> Tue Apr 2915:23:59 2003: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
>
> Tue Apr 2915:23:59 2003: DEBUG: Deleting session for user2 at isp2, 
> 203.63.154.1, 1234
>
> Tue Apr 2915:23:59 2003: DEBUG: Handling with Radius::AuthFILE
>
> Tue Apr 2915:23:59 2003: DEBUG: Radius::AuthFILE looks for match with 
> user2 at isp2
>
> Tue Apr 2915:23:59 2003: DEBUG: Radius::AuthFILE ACCEPT:
>
> Tue Apr 2915:23:59 2003: DEBUG: Access accepted for user2 at isp2
>
> Tue Apr 2915:23:59 2003: DEBUG: Packet dump:
>
> *** Sending to 127.0.0.1 port 1059 ....
>
> Code:      Access-Accept
>
> Identifier: 88
>
> Authentic: 1234567890123456
>
> Attributes:
>
>        Framed-IP-Address = 10.17.32.17
>
>        Framed-Protocol = PPP
>
>        Service-Type = Framed-User
>
>        Framed-IP-Netmask = 255.255.255.240
>
>        Ascend-Client-Primary-DNS = 194.151.52.4
>

>
>
> __________________________________
>
> Output of an access-reject in case of PAP:
>
>  
>
> Tue Apr 2915:27:14 2003: DEBUG: Packet dump:
>
> *** Received from 127.0.0.1 port 1059 ....
>
> Code:      Access-Request
>
> Identifier: 28
>
> Authentic: 1234567890123456
>
> Attributes:
>
>        User-Name = "user2 at isp2"
>
>        Service-Type = Framed-User
>
>        NAS-IP-Address = 203.63.154.1
>
>        NAS-Port = 1234
>
>        NAS-Port-Type = Async
>
>        User-Password = 
> "<140><248>:<223><157>\<4><246><188>8<9><160><216>}x<153>"
>
>  
>
> Tue Apr 2915:27:14 2003: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
>
> Tue Apr 2915:27:14 2003: DEBUG: Deleting session for user2 at isp2, 
> 203.63.154.1, 1234
>
> Tue Apr 2915:27:14 2003: DEBUG: Handling with Radius::AuthFILE
>
> Tue Apr 2915:27:14 2003: DEBUG: Radius::AuthFILE looks for match with 
> user2 at isp2
>
> Tue Apr 2915:27:14 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
>
> Tue Apr 2915:27:14 2003: INFO: Access rejected for user2 at isp2: Bad 
> Password
>
> Tue Apr 2915:27:14 2003: DEBUG: Packet dump:
>
> *** Sending to 127.0.0.1 port 1059 ....
>
> Code:      Access-Reject
>
> Identifier: 28
>
> Authentic: 1234567890123456
>
> Attributes:
>
>        Reply-Message = "Bad Password"
>
>  
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 10369 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030430/73bdb37e/attachment.bin>

More information about the radiator mailing list