No subject
Tue Jun 24 01:21:43 CDT 2008
will not be accepted to communicate with it. This communication security
between the clients and the server must be performed in combination with
every PPP protocol (PAP or CHAP). The secret key is also used to
encrypt the PAP clear text password, this is not applied for CHAP.
In our test we have configured different secret key in the client side
the proxy radius server, see the setup below:
Client ------------------------ Proxy Radius------------------------
Authentication Radius
We expect that there will be no communication possible between the
Client and the Proxy, unfortunately the test results proves the
opposite. We did two test scenarios for PAP and CHAP:
PAP: the communication is possible end-to-end from the client through
the proxy to the authentication radius. The reply is an ACCESS-REJECT,
because of the secret encryption and decryption with different keys
between the client and the proxy, this is understandable.
CHAP: the communication is possible end-to-end from the client through
the proxy to the authentication radius. The reply is in this case an
ACCESS-ACCEPT! Note that the secret are still different between the
Client and the proxy. This is not understandable.
Conclusion:
I can conclude the secret key is not used to allow the communication
between the client and Radius and only used the encrypt the PAP
password. I am now confused about the working of the secret key, can you
clarify this to me.
With Kind Regards
Mohamed Majdoubi
System Engineer
KPN Telecom
------=_NextPart_000_000E_01C3000B.5D9DD190
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml at 01C3000B.5D4B44C0">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:UseFELayout/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Courier;
panose-1:2 7 4 9 2 2 5 2 4 4;
mso-font-alt:"Courier New";
mso-font-charset:0;
mso-generic-font-family:modern;
mso-font-format:other;
mso-font-pitch:fixed;
mso-font-signature:3 0 0 0 1 0;}
@font-face
{font-family:PMingLiU;
panose-1:2 2 3 0 0 0 0 0 0 0;
mso-font-alt:\65B0\7D30\660E\9AD4;
mso-font-charset:136;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:3 137232384 22 0 1048577 0;}
@font-face
{font-family:"\@PMingLiU";
panose-1:2 2 3 0 0 0 0 0 0 0;
mso-font-charset:136;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:3 137232384 22 0 1048577 0;}
@font-face
{font-family:Times;
panose-1:2 2 6 3 5 4 5 2 3 4;
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:PMingLiU;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
pre
{margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-font-family:PMingLiU;}
p.body, li.body, div.body
{mso-style-name:body;
margin-top:12.0pt;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:135.0pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:Times;
mso-fareast-font-family:PMingLiU;
mso-bidi-font-family:Times;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hi<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>The secret key allows the communication between the client and =
the
radius server, this is also mentioned in the =
manual:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<pre =
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:5.0pt;
margin-left:0in;vertical-align:baseline'><i =
style=3D'mso-bidi-font-style:normal'><font
size=3D1 color=3Dblack face=3DCourier><span =
style=3D'font-size:9.0pt;font-family:Courier;
color:black;font-style:italic;mso-bidi-font-style:normal'><Client =
DEFAULT><o:p></o:p></span></font></i></pre><pre
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:5.0pt;
margin-left:0in;vertical-align:baseline'><i =
style=3D'mso-bidi-font-style:normal'><font
size=3D1 color=3Dblack face=3DCourier><span =
style=3D'font-size:9.0pt;font-family:Courier;
color:black;font-style:italic;mso-bidi-font-style:normal'><span =
style=3D'mso-spacerun:yes'>=A0=A0=A0 </span># Configuration parameters =
for the Client go here<o:p></o:p></span></font></i></pre><pre
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:5.0pt;
margin-left:0in;vertical-align:baseline'><i =
style=3D'mso-bidi-font-style:normal'><font
size=3D1 color=3Dblack face=3DCourier><span =
style=3D'font-size:9.0pt;font-family:Courier;
color:black;font-style:italic;mso-bidi-font-style:normal'><span =
style=3D'mso-spacerun:yes'>=A0=A0=A0=A0 =
</span>.....<o:p></o:p></span></font></i></pre><pre
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:5.0pt;
margin-left:0in;vertical-align:baseline'><i =
style=3D'mso-bidi-font-style:normal'><font
size=3D1 color=3Dblack face=3DCourier><span =
style=3D'font-size:9.0pt;font-family:Courier;
color:black;font-style:italic;mso-bidi-font-style:normal'></Client>=
<o:p></o:p></span></font></i></pre>
<p class=3Dbody style=3D'margin-left:0in'><a =
name=3D"pgfId=3D318865"></a><em><b><i><font
size=3D2 color=3Dblack face=3DTimes><span =
style=3D'font-size:10.0pt;font-family:Times;
mso-bidi-font-family:Times;font-weight:bold'>Hint</span></font></i></b></=
em><i
style=3D'mso-bidi-font-style:normal'><span =
style=3D'font-style:italic;mso-bidi-font-style:
normal'> : The configuration file will usually contain the <a
name=3D"marker=3D436910"></a>shared secrets that allow your Radius =
clients to
communicate with the Radiator Radius server.<o:p></o:p></span></i></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>From the Hint above I can conclude that client with a wrong =
secret key
will not be accepted to communicate with it. This communication security
between the clients and the server must be performed in combination with =
every
PPP protocol (PAP or CHAP).<span style=3D'mso-spacerun:yes'>=A0 =
</span>The secret
key is also used to encrypt the PAP clear text password, this is not =
applied
for CHAP. <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>In our test we have configured different secret key in the =
client side
the proxy radius server, see the setup =
below:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><span =
style=3D'mso-tab-count:7'>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
</span><o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Client<span style=3D'mso-spacerun:yes'>=A0 =
</span>------------------------
Proxy Radius------------------------ Authentication =
Radius<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>We expect that there will be no communication possible between =
the
Client and the Proxy, unfortunately the test results proves the =
opposite. We
did two test scenarios for PAP and CHAP:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>PAP: the communication is possible end-to-end from the client =
through
the proxy to the authentication radius. The reply is an ACCESS-REJECT, =
because
of the secret encryption and decryption with different keys between the =
client
and the proxy, this is understandable.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>CHAP: the communication is possible end-to-end from the client =
through
the proxy to the authentication radius. The reply is in this case an
ACCESS-ACCEPT! Note that the secret are still different between the =
Client and
the proxy. This is not understandable.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Conclusion:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>I can conclude the secret key is not used to allow the =
communication
between the client and Radius and only used the encrypt the PAP =
password. I am
now confused about the working of the secret key, can you clarify this =
to me. <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><span style=3D'mso-spacerun:yes'>=A0=A0 =
</span><o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>With Kind Regards<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Mohamed Majdoubi<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>System Engineer<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>KPN Telecom<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_000E_01C3000B.5D9DD190--
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list