(RADIATOR) Advice needed... proxying MS-CHAP V2 requests to non-supporting Radius server.
Hugh Irvine
hugh at open.com.au
Tue Jul 20 18:05:59 CDT 2004
Hello Ray -
You might be able to do this with a PreAuthHook (that calls an AuthBy
SQL clause) and an AuthBy RADIUS clause followed by a ReplyHook. I am
not sure if this will work or not, but it will be interesting to see
the result.
There are some examples in "goodies/hooks.txt".
Of course you should also have a look at the code in
"Radius/AuthRADIUS.pm".
regards
Hugh
On 21 Jul 2004, at 05:26, Ray Van Dolson wrote:
> We're working with another ISP who is reselling our services.
> Currently,
> users authenticate via our Radius server, but in addition to that, we
> would
> like to authenticate to this ISP's Radius server as well.
>
> One problem: Their Radius server does not support MSCHAP.
>
> All of our customers tunnel in to our servers with MPPE which requires
> MSCHAP. This of course does not provide our Radius server with a
> User-Password attribute to pass to the second ISP's Radius server.
> Without
> one, they reject any Access requests.
>
> Now the easy solution would seem to be to have them put in support for
> MSCHAP and in the end this may be what happens... in the meantime, I am
> trying to figure out if there is a way I can simulate a non MSCHAP
> login
> and craft my own Radius request to send to the ISP's Rad server.
>
> I would like to authenticate against our SQL database, and if the
> password
> matches, retrieve the (plain text as required by MSCHAPv2) password and
> save it to a variable. Then somehow encrypt this with the MD5-method
> that
> Radius expects, strip out the MSCHAP attributes and append the
> User-Password
> one that I just generated and forward it on to the ISP's Rad server
> and get
> back the reply attributes that I need access to.
>
> Is this a decent way of approaching the problem? I guess using AuthBy
> External would be the way I'd have to approach this, but I'm not sure
> how
> to pass it variables from a previous SQL query from an Auth SQL block.
>
> Anyways, looking for suggestions here...
> Ray
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list