(RADIATOR) How to return the challenge with "AuthBy OPIE"?
Mike McCauley
mikem at open.com.au
Mon Nov 1 18:48:29 CST 2004
Hello Ken,
On Tuesday 02 November 2004 09:23, Ken Bell wrote:
> On Fri, Oct 29, 2004 at 07:52:39AM +1000, Mike McCauley wrote:
> > On Friday 29 October 2004 05:47, Ken Bell wrote:
> > > When using "AuthBy OPIE", how does one get Radiator to return the
> > > challenge (OTP sequence number) to the caller? Thanks.
> >
> > In the case of Radius PAP, the challenge is returned to the NAS in the
> > Reply-Message. Whether or not this is displayed to the user depends on
> > the NAS and the client.
> >
> > In the case of EAP-OTP and EAP-GTC, it is returned in the EAP message as
> > required by the EAP standards. Most EAP clients will display the
> > challenge to the user.
>
> Hi Mike,
>
> Let me then rephrase my question :-)
>
> I am trying to use Radiator to authenticate with OPIE for a CheckPoint
> firewall user. My radius.cfg is basically what is found in "opie.cfg"
> in Radiator's "goodies" directory. Authentication works, provided
> that the user keeps track of the OTP sequence number, but it does
> not appear that Radiator ever returns an OPIE challenge to the
> firewall (caller). Is this the fault of my configuration file, or
> should the firewall be sending some request for a challenge prior
> to prompting the user for his password?
If your CheckPoint is using Radius-PAP, then AuthBy OPIE _should_ set the
Reply-Message in the Challenge to contain the OPIE challenge.
In order to tell whether that is happening correctly, you should run your
Raditor at trace level 4, and examine the log file.
If you stilhave problems, post the log file and your Radiator config (no
secrets) to the Radiator mailing list.
>
> Also, can I can provoke an OPIE challenge via "radpwtst"? I tried
> sending an empty password, but simply get an auth reject. If I
> understand "AuthOPIE.pm", though, it appears that an empty password
> is what triggers the challenge response.
Thats is correct. An empty password should trigger the challenge:
./radpwtst -noacct -user mikem -password ''
If that is not happening, you should examine the log file at trace level 4 for
clues.
>
> Finally, on a related but not crucial note, I tried the "-gui"
> option to radpwtst, and find that changing the values in the "To
> this server" section (Name, Secret, Auth Port and Acct Port), does
> not change what radpwtst actually uses; for that I must invoke
> radpwtst with the desired options in the first place.
Thanks for reporting that.
This was a bug that was intriduced when IPV6 support was added. We have now
fixed it and a new version of radpwtst is now available in the 3.11 patches
area.
We apologise for this problem.
> Also, it
> appears that the list box for "Service-Type" is truncated, rather
> than scrolling (the last type I see is "GRIC-PhoneHandset-User").
Thanks also for reporting this. In fact it was also (incorrectly) showing the
options for Alteon-Service-Type as well as Service-Type. Fixed in the 3.11
patch set.
We apologise for this problem.
Cheers.
>
> Thanks.
>
> Ken
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list