(RADIATOR) Advice needed... proxying MS-CHAP V2 requests to non-supporting Radius server.

Ray Van Dolson rayvd at corp.digitalpath.net
Tue Jul 20 14:26:08 CDT 2004


We're working with another ISP who is reselling our services.  Currently,
users authenticate via our Radius server, but in addition to that, we would
like to authenticate to this ISP's Radius server as well.

One problem: Their Radius server does not support MSCHAP.

All of our customers tunnel in to our servers with MPPE which requires 
MSCHAP.  This of course does not provide our Radius server with a 
User-Password attribute to pass to the second ISP's Radius server.  Without
one, they reject any Access requests.

Now the easy solution would seem to be to have them put in support for
MSCHAP and in the end this may be what happens... in the meantime, I am
trying to figure out if there is a way I can simulate a non MSCHAP login
and craft my own Radius request to send to the ISP's Rad server.

I would like to authenticate against our SQL database, and if the password
matches, retrieve the (plain text as required by MSCHAPv2) password and
save it to a variable.  Then somehow encrypt this with the MD5-method that
Radius expects, strip out the MSCHAP attributes and append the User-Password
one that I just generated and forward it on to the ISP's Rad server and get
back the reply attributes that I need access to.

Is this a decent way of approaching the problem?  I guess using AuthBy
External would be the way I'd have to approach this, but I'm not sure how 
to pass it variables from a previous SQL query from an Auth SQL block.

Anyways, looking for suggestions here...
Ray

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list