(RADIATOR) Digipass, PPTP and MSCHAPV2

Mike McCauley mikem at open.com.au
Fri Aug 12 02:02:28 CDT 2005


Hello Clem,

On Friday 12 August 2005 15:19, Clem Colman wrote:
> Hi All,
>
> Have scoped a solution which I am now trying to implement.
>
> Components:
>
> Radiator running on Linux (installed from rpm 3.13).
> AuthBy Digipass perl module (installed from rpm included in tarball).
> Digipass GO3 tokens.
> Snapgear SME530 which provides PPTP with Radius Auth and authentication
> options of PAP, CHAP, MSCHAP, MSCHAPV2.
>
> The basic concept of the idea is that users use Vasco/Digipass GO3
> tokens to log into pptp on the snapgear.  The snapgear authenticates
> via radius and the world is good (because users don't use static
> passwords for pptp).
>
> Have Radiator installed fine, and authenticating using rapwdtst program
> just fine.
>
> However, when I try to authenticate via the snapgear, the packets come
> through and I see the requests come through in the trace with the
> MSCHAP challenge and the MSCHAPV2 response.  All looks good, except
> that authentication fails.
>
> Doing a little bit of reading it seems to be the case that for the
> authby digipass stuff to work it needs the password in plain text,
> which is clearly not going to happen unless I go all the way down to
> PAP (which I think breaks data encryption for pptp and hence is not
> much of an option).
>
> Am I missing something obvious here.  Is there some way to make the
> MSCHAP challenge and MSCHAPV2 reponse authenticate correctly using
> Authby Digipass, or is this bird never going to fly?

Its a cooked goose.

There is no way that you will be able to get or MSCHAP or MSCHAPV2 to work 
with Digipass. The reason for this is that MSCHAP and MSCHAPV2 irreversibly 
hash the users entered password before it gets to the server, but Digipass 
needs the original plaintext password in order to do its thing.

As Hugh has mentioned, Digipass will work with PAP, GTC, and OTP.

Cheers.


>
> The config file is basically the digipass sample from the goodies
> directory.
>
> Cheers,
> Clem.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list