No subject
Tue Jun 24 01:21:43 CDT 2008
will not be accepted to communicate with it. This communication security
between the clients and the server must be performed in combination with
every PPP protocol (PAP or CHAP). The secret key is also used to encrypt
the PAP clear text password, this is not applied for CHAP.
In our test we have configured different secret key in the client side
the proxy radius server, see the setup below:
Client ------------------------ Proxy Radius------------------------
Authentication Radius
We expect that there will be no communication possible between the
Client and the Proxy, unfortunately the test results proves the
opposite. We did two test scenarios for PAP and CHAP:
PAP: the communication is possible end-to-end from the client through
the proxy to the authentication radius. The reply is an ACCESS-REJECT,
because of the secret encryption and decryption with different keys
between the client and the proxy, this is understandable.
CHAP: the communication is possible end-to-end from the client through
the proxy to the authentication radius. The reply is in this case an
ACCESS-ACCEPT! Note that the secret are still different between the
Client and the proxy. This is not understandable.
Conclusion:
I can conclude the secret key is not used to allow the communication
between the client and Radius and only used the encrypt the PAP
password. I am now confused about the working of the secret key, can you
clarify this to me.
With Kind Regards
Mohamed Majdoubi
System Engineer
KPN Telecom
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
------=_NextPart_000_0001_01C30357.7DC24E70
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml at 01C30357.7D359ED0">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"time"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"date"/>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:Compatibility>
<w:UseFELayout/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:PMingLiU;
panose-1:2 2 3 0 0 0 0 0 0 0;
mso-font-alt:\65B0\7D30\660E\9AD4;
mso-font-charset:136;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:3 137232384 22 0 1048577 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
@font-face
{font-family:"\@PMingLiU";
panose-1:2 2 3 0 0 0 0 0 0 0;
mso-font-charset:136;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:3 137232384 22 0 1048577 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:PMingLiU;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
pre
{margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Courier New";
mso-fareast-font-family:PMingLiU;}
span.EmailStyle17
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hi =
Hugh,<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>The content of section 2.2 which =
describes
the interoperability of the shared key and PAP/CHAP is only a sub =
function the
shared key. This sub function is working well according to our test. The =
main
function of the shared key which is described in the introduction =
(network
security section) of RFC2865 is not working: <span
style=3D'mso-spacerun:yes'>=A0</span>the authentication reply is always =
an access accept
in case of CHAP (the sub function of the shared key is not applied for =
chap),
this works even if the configured shared key in the client and the =
server are
not the same. <span style=3D'mso-spacerun:yes'>=A0</span>My question is: =
why Radiator
do not drop radius request from client with a false shared =
key?<o:p></o:p></span></font></p>
<pre><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'><o:p> </o:p></span></font></pre><pre><fon=
t
size=3D2 face=3D"Courier New"><span style=3D'font-size:10.0pt'>With Kind =
Regards<o:p></o:p></span></font></pre>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Mohamed<o:p></o:p></span></font></p>=
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Hugh Irvine
[mailto:hugh at open.com.au<span class=3DGramE>] <br>
<b><span style=3D'font-weight:bold'>Sent</span></b></span><b><span
style=3D'font-weight:bold'>:</span></b> </span></font><st1:date =
Month=3D"4" Day=3D"11"
Year=3D"2003"><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:
Tahoma'>Friday, April 11, 2003</span></font></st1:date><font size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> =
</span></font><st1:time
Hour=3D"9" Minute=3D"32"><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma'>9:32 AM</span></font></st1:time><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'><br>
<b><span style=3D'font-weight:bold'>To:</span></b> mohamed; =
mikem at open.com.au<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> =
radiator at open.com.au<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: (RADIATOR) =
secret key
usage in combination with CHAP/PAP</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><br>
Hello Mohamed -<br>
<br>
What you describe is correct, according to the Radius RFC's.<br>
<br>
It is somewhat confusing I agree.<br>
<br>
Have a look at section 2.2 of RFC2865 ("doc/rfc2865.txt").<br>
<br>
I have copied this mail to Mike for further comments.<br>
<br>
regards<br>
<br>
Hugh<br>
<br>
<br>
On Friday, Apr 11, 2003, at 17:18 Australia/Melbourne, mohamed =
wrote:<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><?fontfamily><?param Times New =
Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Arial><?smaller>Hi<br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller> <br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Times New Roman>The secret key allows the =
communication
between the client and the radius server, this is also mentioned in the =
manual:<br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Courier><?color><?param =
0000,0000,0000><?smaller><Client
DEFAULT><br>
<?/smaller><?/color><?/fontfamily><br>
<?fontfamily><?param Courier><?color><?param =
0000,0000,0000><?smaller>
# Configuration parameters for the Client go here<br>
<?/smaller><?/color><?/fontfamily><br>
<?fontfamily><?param Courier><?color><?param =
0000,0000,0000><?smaller>
.....<br>
<?/smaller><?/color><?/fontfamily><br>
<?fontfamily><?param Courier><?color><?param =
0000,0000,0000><?smaller></Client><o:p></o:p></span></font></p>
<?/smaller><?/color><?/fontfamily>
<p class=3DMsoNormal =
style=3D'margin-left:.5in'><b><i><?fontfamily><?param =
Times><?color><?param 0000,0000,0000><?smaller><font
size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;font-weight:bold;
font-style:italic'>Hint</span></font><?/smaller><?/color><?/fontfamily></=
i></b><i><span
style=3D'font-style:italic'>: The configuration file will usually =
contain the
shared secrets that allow your Radius clients to communicate with the =
Radiator
Radius server.</span></i><o:p></o:p></p>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman>From the Hint above I can conclude =
that
client with a wrong secret key will not be accepted to communicate with =
it.
This communication security between the clients and the server must be
performed in combination with every PPP protocol (PAP or CHAP). The =
secret
key is also used to encrypt the PAP clear text password, this is not =
applied
for CHAP. <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman>In our test we have configured =
different
secret key in the client side the proxy radius server, see the setup =
below:<br>
<?/fontfamily><br>
<?fontfamily><?param Times New =
Roman> &=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p;  =
; =
<br>
<?/fontfamily><br>
<?fontfamily><?param Times New =
Roman>Client ------------------------ Proxy
Radius------------------------ Authentication Radius<br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman>We expect that there will be no
communication possible between the Client and the Proxy, unfortunately =
the test
results proves the opposite. We did two test scenarios for PAP and =
CHAP:<br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman>PAP: the communication is possible
end-to-end from the client through the proxy to the authentication =
radius. The
reply is an ACCESS-REJECT, because of the secret encryption and =
decryption with
different keys between the client and the proxy, this is =
understandable.<br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman>CHAP: the communication is possible
end-to-end from the client through the proxy to the authentication =
radius. The
reply is in this case an ACCESS-ACCEPT! Note that the secret are still
different between the Client and the proxy. This is not =
understandable.<br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman>Conclusion:<br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman>I can conclude the secret key is =
not used
to allow the communication between the client and Radius and only used =
the
encrypt the PAP password. I am now confused about the working of the =
secret
key, can you clarify this to me. <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Times New Roman> <br>
<?/fontfamily><br>
<?fontfamily><?param Arial><?smaller> <br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller> <br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller> <br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller> <br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller>With Kind Regards<br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller> <br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller>Mohamed Majdoubi<br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller>System Engineer<br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller>KPN Telecom<br>
<?/smaller><?/fontfamily><br>
<?fontfamily><?param Arial><?smaller> <br =
style=3D'mso-special-character:
line-break'>
<![if !supportLineBreakNewLine]><br =
style=3D'mso-special-character:line-break'>
<![endif]><?/smaller><?/fontfamily><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><br>
NB: have you included a copy of your configuration file (no secrets), =
<br>
together with a trace 4 debug showing what is happening?<br>
<br>
-- <br>
Radiator: the most portable, flexible and configurable RADIUS server<br>
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.<br>
-<br>
Nets: internetwork inventory and management - graphical, extensible,<br>
flexible with hardware, software, platform and database =
independence.<o:p></o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_0001_01C30357.7DC24E70--
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list