(RADIATOR) shared secret and CHAP (revisitte)
Hugh Irvine
hugh at open.com.au
Mon Dec 6 20:15:57 CST 2004
Hello Tariq -
Further to my previous post, and for the benefit of the list, please
note that this is a limitation of the RADIUS protocol rather than a
limitation of Radiator. There is no way with CHAP to determine whether
the shared secrets are correct or not.
regards
Hugh
On 7 Dec 2004, at 08:40, Hugh Irvine wrote:
>
> Hello Tariq -
>
> Unfortunately Radiator has no way of knowing whether the shared secret
> is correct or not.
>
> regards
>
> Hugh
>
>
> On 6 Dec 2004, at 22:39, Tariq Rashid wrote:
>
>>
>> Hi all,
>>
>> I'm seeing some behaviour which I was suprised by. I saw that when
>> using
>> CHAP, the shared secret doesn't have to match. As long as the
>> username and
>> the associated password match, an Access-Accept is issued.
>>
>> This has been discussed before:
>> http://www.open.com.au/archives/radiator/2003-04/msg00114.html
>>
>> However, I wonder if current radiators (i'm still using 3.3 and 3.8
>> and
>> nothing newer yet) are modified to fix this? I know that according to
>> the
>> protocol, this is not incorrect behaviour!
>>
>> Any thoughts regarding that layer of security would be appreciated! I
>> is
>> useful to drop connections and not reply to those NASes which don't
>> have the
>> correct shared secret. This saved server resources and also doesnt
>> credit
>> any intruders with a rsponse.
>>
>> (I also noticed that raidator will reply to auth and acct requests to
>> acct
>> and auth ports respectively - but this seems to be documented!)
>>
>> Tariq
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list