(RADIATOR) How to return the challenge with "AuthBy OPIE"?

Hugh Irvine hugh at open.com.au
Wed Nov 3 16:35:20 CST 2004


Hello Ken -

CheckPoint is incorrect.

The radius server (Radiator in this case) simply responds to access 
requests set to it by a NAS device (FW-1 in this case). It is entirely 
up to the NAS device to format and send the access request and to 
include in it whatever it requires. The radius server can certainly 
deal with PAP, CHAP, EAP or whatever, but it is up to the NAS device to 
actually send whichever one it wants to use.

I have copied Mike on this mail so he can comment on your question 
about CHAP.

regards

Hugh


On 4 Nov 2004, at 05:40, Ken Bell wrote:

> Hi Mike,
>
> Thank you for your quick reply.  I finally heard back from CheckPoint
> support on this issue, and they claim that it's up to the RADIUS
> server, not the NAS, to determine whether to use PAP or CHAP.  They
> wrote:  "The CHAP, PAP is all configured on the RADIUS server
> side-not on the FW-1 side +the firewall uses UDP port ONLY to talk
> to RADIUS."  And, a bit further on after a basic description of
> PAP and CHAP RADIUS authentication, they write:  "There is no such
> option to configure CHAP, PAP, EAP on the firewall."
>
> However it may be that using CHAP is fine anyhow:  today, using
> "radpwtst" with the "-chap" option, I find that Radiator returns
> an OPIE Challenge when presented with an empty password string.
>
> The earlier problem was that I couldn't enter an empty string for
> the password via the FW-1 interface - it doesn't send anything at
> all until some non-empty string is entered.  Ah, the benefits of
> having Radiator's source code :-)  I therefore modified AuthOPIE.pm
> to test the password against a special string in place of the empty
> string, ''.  After doing that, I see that the Radiator log indicates
> that it sent FW-1 the OPIE Challenge.
>
> However, FW-1 appears to be noncompliant with RFC-2865, in that it
> neither displays the OPIE Challenge to the user, nor does it return
> an Access-Reject, but instead issues the curious response, "RADIUS
> servers not responding".
>
> I'm assuming that it would be compliant with RFC-2865 for a NAS to
> accept and display the OPIE Challenge in a CHAP session, just as
> it may do so in a PAP session.  If so, then it appears that I now
> have to take this problem back to CheckPoint.  Your comment on this
> point (either confirming or correcting my understanding with respect
> to using CHAP and sending the OPIE Challenge back to the NAS) would
> be appreciated.
>
> Again, thank you very much for your help.
>
>                                                   Ken
> -- 
> Ken Bell :: kenbell at panix.com   :: (212) 475-4976 (voice)
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list