(RADIATOR) How to return the challenge with "AuthBy OPIE"?

Ken Bell kenbell at panix.com
Wed Nov 3 17:04:17 CST 2004 

Hi Mike,

Just a reminder that in fact Radiator/OPIE authentication with FW-1
works fine; the problem at this point is that FW-1 doesn't present
the user with the OPIE Challenge (but if the user knows the correct
OPIE sequence number, then he can enter the OTP and get authenticated).

Unless you see something wrong with what Radiator is sending back, I
think now that this is a problem with FW-1, not Radiator.


Here's an excerpt from the config file:

  <Client xxxx>
          Secret  xxxx
          DupInterval 0
  </Client>

  <Realm DEFAULT>
          <AuthBy OPIE>
          </AuthBy>
  </Realm>


Here is an excerpt from the log (one of the 3 identical responses
to the access request):

  Wed Nov  3 17:46:00 2004: DEBUG: Packet dump:
  *** Received from xxxx port xxxx ....
  Code:       Access-Request
  Identifier: 12
  Authentic:  xxxx
  Attributes:
          User-Name = "xxxx"
          User-Password = "xxxx"
          Service-Type = Authenticate-Only
          NAS-IP-Address = xxxx
  
  Wed Nov  3 17:46:00 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
  Wed Nov  3 17:46:00 2004: DEBUG:  Deleting session for xxxx, xxxx,
  Wed Nov  3 17:46:00 2004: DEBUG: Handling with Radius::AuthOPIE:
  Wed Nov  3 17:46:00 2004: DEBUG: Radius::AuthOPIE looks for match with xxxx
  Wed Nov  3 17:46:00 2004: DEBUG: Radius::AuthOPIE CHALLENGE:
  Wed Nov  3 17:46:00 2004: DEBUG: Access challenged for xxxx:
  Wed Nov  3 17:46:00 2004: DEBUG: Packet dump:
  *** Sending to xxxx port xxxx ....
  Code:       Access-Challenge
  Identifier: 12
  Authentic:  xxxx
  Attributes:
          Reply-Message = "OPIE Challenge: otp-md5 488 bo2045 ext"



I verified independently from the Radiator log (using a network
sniffer) that in fact Radiator is sending the OPIE challenge in
its Reply-Message back to FW-1.

Thanks.

                                                  Ken
-- 
Ken Bell :: kenbell at panix.com   :: (212) 475-4976 (voice)

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list