[RADIATOR] CHAP flow

Heikki Vatiainen hvn at open.com.au
Wed Nov 23 13:29:16 CST 2011 

On 11/23/2011 11:04 AM, M P wrote:

> In CHAP, how does Radiator verifies the password submitted by the end
> user matches the password in the database? Please correct my
> understanding on the following process flow:

Here's an example with radpwtst. Note that CHAP does not need return
Access-Challenge. CHAP authentication takes only an Access-Request with
Access-Accept or Access-Reject as return message.

~/radiator/Radiator-4.9$ ./radpwtst -trace 4 -noacct -chap -user mikem
-password fred
Wed Nov 23 21:13:16 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Wed Nov 23 21:13:16 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 46
Authentic:  "<230><209>Z" <174><13>!~<19>R<213><159><194>g
Attributes:
	User-Name = "mikem"
	Service-Type = Framed-User
	NAS-IP-Address = 203.63.154.1
	NAS-Identifier = "203.63.154.1"
	NAS-Port = 1234
	Called-Station-Id = "123456789"
	Calling-Station-Id = "987654321"
	NAS-Port-Type = Async
	CHAP-Password =
5S<170><235><146><30><135><252><190><135><244>.cx<249><173>~
	CHAP-Challenge = 1234567890123456

Wed Nov 23 21:13:16 2011: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code:       Access-Accept
Identifier: 46
Authentic:
<223><19><224><127>b<192><220><243><156><17><7><25><179><157><147><24>
Attributes:

OK

> [1] End user submits the username and password via CHAP.
> [2] Upon hitting the Radiator with the CHAP-Password attribute, it will
> respond with Access-Challenge (exit 3).
> [3] Perform challenge-response and decide whether the Radiator will
> Access-Accept or Access-Reject.
>  
> My question is, between items [2] and [3], how does Radiator checks and
> verifies the password of the username from its database? Isn't it that
> Radiator should check first its database for the username's password
> during step [2] or before step [3]?

When Radiator receives the password in step [2], it will lookup the
plain text password using the username as key. With the password
Radiator can calculate its own CHAP-Password value using CHAP-Challenge.
See how radpwtst creates the two CHAP related attributes and
http://tools.ietf.org/html/rfc2865#section-5.3 for the attribute
definitions.

Once Radiator has its own value for CHAP-Password it can compare it to
the received CHAP-Password and make immediate pass/fail decision without
challenging the client.

> Please advice as I am confused. I am actually using AuthBy EXTERNAL and
> executing an external script to check an external API for the user's
> password.

See how radpwtst and Radius/AuthGeneric.pm and check_chap function
calculate the values. That should clarify how CHAP-Password and
CHAP-Challenge work.

Thanks!
Heikki


> Thank you in advance.
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list