(RADIATOR) How to return the challenge with "AuthBy OPIE"?

Mike McCauley mikem at open.com.au
Wed Nov 3 16:25:36 CST 2004 

Hello Ken,

more...
according to web searches I made, FW-1 only appears to support Radius PAP. If 
you will send a trace 4 log, I can confirm that. If so, that bodes well for 
your OPIE support.


Cheers.

On Thursday 04 November 2004 04:40, Ken Bell wrote:
> Hi Mike,
>
> Thank you for your quick reply.  I finally heard back from CheckPoint
> support on this issue, and they claim that it's up to the RADIUS
> server, not the NAS, to determine whether to use PAP or CHAP.  They
> wrote:  "The CHAP, PAP is all configured on the RADIUS server
> side-not on the FW-1 side +the firewall uses UDP port ONLY to talk
> to RADIUS."  And, a bit further on after a basic description of
> PAP and CHAP RADIUS authentication, they write:  "There is no such
> option to configure CHAP, PAP, EAP on the firewall."
>
> However it may be that using CHAP is fine anyhow:  today, using
> "radpwtst" with the "-chap" option, I find that Radiator returns
> an OPIE Challenge when presented with an empty password string.
>
> The earlier problem was that I couldn't enter an empty string for
> the password via the FW-1 interface - it doesn't send anything at
> all until some non-empty string is entered.  Ah, the benefits of
> having Radiator's source code :-)  I therefore modified AuthOPIE.pm
> to test the password against a special string in place of the empty
> string, ''.  After doing that, I see that the Radiator log indicates
> that it sent FW-1 the OPIE Challenge.
>
> However, FW-1 appears to be noncompliant with RFC-2865, in that it
> neither displays the OPIE Challenge to the user, nor does it return
> an Access-Reject, but instead issues the curious response, "RADIUS
> servers not responding".
>
> I'm assuming that it would be compliant with RFC-2865 for a NAS to
> accept and display the OPIE Challenge in a CHAP session, just as
> it may do so in a PAP session.  If so, then it appears that I now
> have to take this problem back to CheckPoint.  Your comment on this
> point (either confirming or correcting my understanding with respect
> to using CHAP and sending the OPIE Challenge back to the NAS) would
> be appreciated.
>
> Again, thank you very much for your help.
>
>                                                   Ken

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list