(RADIATOR) Digipass, PPTP and MSCHAPV2

Hugh Irvine hugh at open.com.au
Fri Aug 12 00:47:27 CDT 2005


Hello Clem -

It really is most helpful if you post a copy of your configuration  
file and a trace 4 debug from Radiator showing what is happening.

You are correct however when you say that PAP is required - from  
section 6.55 of the Radiator manual ("doc/ref.html"):

......

AuthBy DIGIPASS supports for Response Only (RO) and Challenge/ 
Response (CR) tokens. It supports Radius PAP, TTLS-PAP, EAP-GTC and  
EAP-OTP authentication methods. When using Challenge/Response tokens  
with PAP or TTLS-PAP, when the user enters an empty password, AuthBy  
DIGIPASS will generate the Challenge to enter into the Digipass  
token. The token will then generate a Response which the users enters  
as their real password.

.....

Note that PAP is only relevant for the authentication.

regards

Hugh


On 12 Aug 2005, at 15:19, Clem Colman wrote:

> Hi All,
>
> Have scoped a solution which I am now trying to implement.
>
> Components:
>
> Radiator running on Linux (installed from rpm 3.13).
> AuthBy Digipass perl module (installed from rpm included in tarball).
> Digipass GO3 tokens.
> Snapgear SME530 which provides PPTP with Radius Auth and  
> authentication options of PAP, CHAP, MSCHAP, MSCHAPV2.
>
> The basic concept of the idea is that users use Vasco/Digipass GO3  
> tokens to log into pptp on the snapgear.  The snapgear  
> authenticates via radius and the world is good (because users don't  
> use static passwords for pptp).
>
> Have Radiator installed fine, and authenticating using rapwdtst  
> program just fine.
>
> However, when I try to authenticate via the snapgear, the packets  
> come through and I see the requests come through in the trace with  
> the MSCHAP challenge and the MSCHAPV2 response.  All looks good,  
> except that authentication fails.
>
> Doing a little bit of reading it seems to be the case that for the  
> authby digipass stuff to work it needs the password in plain text,  
> which is clearly not going to happen unless I go all the way down  
> to PAP (which I think breaks data encryption for pptp and hence is  
> not much of an option).
>
> Am I missing something obvious here.  Is there some way to make the  
> MSCHAP challenge and MSCHAPV2 reponse authenticate correctly using  
> Authby Digipass, or is this bird never going to fly?
>
> The config file is basically the digipass sample from the goodies  
> directory.
>
> Cheers,
> Clem.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list