(RADIATOR) How to return the challenge with "AuthBy OPIE"?

Mike McCauley mikem at open.com.au
Wed Nov 3 16:22:51 CST 2004 

Hello Ken,


On Thursday 04 November 2004 04:40, Ken Bell wrote:
> Hi Mike,
>
> Thank you for your quick reply.  I finally heard back from CheckPoint
> support on this issue, and they claim that it's up to the RADIUS
> server, not the NAS, to determine whether to use PAP or CHAP.  They
> wrote:  "The CHAP, PAP is all configured on the RADIUS server
> side-not on the FW-1 side +the firewall uses UDP port ONLY to talk
> to RADIUS."  And, a bit further on after a basic description of
> PAP and CHAP RADIUS authentication, they write:  "There is no such
> option to configure CHAP, PAP, EAP on the firewall."

The choice of which type of authentication (PAP v CHAP) to be used is made by 
the Radius client, not the Radius server. In the case of PAP authentication 
the Radius client send a User-Password in the access request to the server. 
In the case of CHAP, it sends CHAP-Password instead. The server has no choice 
in whether to use PAP or CHAP.

The discussion of port numbers is irrelevant.

If you can send me a Radiator level 4 trace of the requests sent by your FW-1, 
I can tell you more about how its behaving.

>
> However it may be that using CHAP is fine anyhow:  today, using
> "radpwtst" with the "-chap" option, I find that Radiator returns
> an OPIE Challenge when presented with an empty password string.

You will not be able to do OPIE authentication with CHAP. CHAP irreversibly 
transforms the password entered by the user. It is impossible to recover the 
plaintext password from CHAP, and therefore impossible to use CHAP with OPIE.

>
> The earlier problem was that I couldn't enter an empty string for
> the password via the FW-1 interface - it doesn't send anything at
> all until some non-empty string is entered.  Ah, the benefits of
> having Radiator's source code :-)  I therefore modified AuthOPIE.pm
> to test the password against a special string in place of the empty
> string, ''.  After doing that, I see that the Radiator log indicates
> that it sent FW-1 the OPIE Challenge.

OK, so FW-1 did not even send a request if the entered password was empty? If 
we conclude that FW-1 supports PAP, then we can to deal with this problem, so 
that a certain keyword as the password would generate the OPIE challenge.

>
> However, FW-1 appears to be noncompliant with RFC-2865, in that it
> neither displays the OPIE Challenge to the user, nor does it return
> an Access-Reject, but instead issues the curious response, "RADIUS
> servers not responding".

That seems silly. Sounds like FW-1 behaving as if it did not receive the reply 
(or perhaps the shared secrets dont match).

>
> I'm assuming that it would be compliant with RFC-2865 for a NAS to
> accept and display the OPIE Challenge in a CHAP session, just as
> it may do so in a PAP session. 

The spec says:

If the client receives an Access-Challenge and supports
   challenge/response it MAY display the text message, if any, to the
   user, and then prompt the user for a response.  

> If so, then it appears that I now 
> have to take this problem back to CheckPoint.  Your comment on this
> point (either confirming or correcting my understanding with respect
> to using CHAP and sending the OPIE Challenge back to the NAS) would
> be appreciated.

If FW-1 only supports Radius-CHAP, then you will not be able to use OPIE. 
Therefore the question is really: can FW-1 support Radius-PAP?

>
> Again, thank you very much for your help.

I hope I _am_ being helpful.

Cheers.

>
>                                                   Ken

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list