(RADIATOR) How to return the challenge with "AuthBy OPIE"?

Mike McCauley mikem at open.com.au
Wed Nov 3 17:25:06 CST 2004 

Hello Ken,


On Thursday 04 November 2004 09:04, Ken Bell wrote:
> Hi Mike,
>
> Just a reminder that in fact Radiator/OPIE authentication with FW-1
> works fine; the problem at this point is that FW-1 doesn't present
> the user with the OPIE Challenge (but if the user knows the correct
> OPIE sequence number, then he can enter the OTP and get authenticated).
>
> Unless you see something wrong with what Radiator is sending back, I
> think now that this is a problem with FW-1, not Radiator.

That reply looks fine. It contains the challenge in the Reply-Message as 
expected.

If FW-1 does not display the challenge Reply-Message to the user, then its not 
in contravention to the spec. The spec makes it clear that displaying the 
challenge to the user is optional on the part of the radius client.

I guess that makes it a bit hard for the users, but unless FW-1 can be 
convinced to display the Reply-Message, there is not much more that can be 
done.

Cheers.

>
>
> Here's an excerpt from the config file:
>
>   <Client xxxx>
>           Secret  xxxx
>           DupInterval 0
>   </Client>
>
>   <Realm DEFAULT>
>           <AuthBy OPIE>
>           </AuthBy>
>   </Realm>
>
>
> Here is an excerpt from the log (one of the 3 identical responses
> to the access request):
>
>   Wed Nov  3 17:46:00 2004: DEBUG: Packet dump:
>   *** Received from xxxx port xxxx ....
>   Code:       Access-Request
>   Identifier: 12
>   Authentic:  xxxx
>   Attributes:
>           User-Name = "xxxx"
>           User-Password = "xxxx"
>           Service-Type = Authenticate-Only
>           NAS-IP-Address = xxxx
>
>   Wed Nov  3 17:46:00 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT' Wed Nov  3 17:46:00 2004: DEBUG:  Deleting session for
> xxxx, xxxx, Wed Nov  3 17:46:00 2004: DEBUG: Handling with
> Radius::AuthOPIE: Wed Nov  3 17:46:00 2004: DEBUG: Radius::AuthOPIE looks
> for match with xxxx Wed Nov  3 17:46:00 2004: DEBUG: Radius::AuthOPIE
> CHALLENGE:
>   Wed Nov  3 17:46:00 2004: DEBUG: Access challenged for xxxx:
>   Wed Nov  3 17:46:00 2004: DEBUG: Packet dump:
>   *** Sending to xxxx port xxxx ....
>   Code:       Access-Challenge
>   Identifier: 12
>   Authentic:  xxxx
>   Attributes:
>           Reply-Message = "OPIE Challenge: otp-md5 488 bo2045 ext"
>
>
>
> I verified independently from the Radiator log (using a network
> sniffer) that in fact Radiator is sending the OPIE challenge in
> its Reply-Message back to FW-1.
>
> Thanks.
>
>                                                   Ken

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list