[RADIATOR] CHAP flow

M P antmtp at hotmail.com
Fri Nov 25 00:49:57 CST 2011


Hello Heikki,
 
Thank you for your detailed explaination.
 
Regards,
 
> Date: Wed, 23 Nov 2011 21:29:16 +0200
> From: hvn at open.com.au
> To: antmtp at hotmail.com
> CC: radiator at open.com.au
> Subject: Re: [RADIATOR] CHAP flow
> 
> On 11/23/2011 11:04 AM, M P wrote:
> 
> > In CHAP, how does Radiator verifies the password submitted by the end
> > user matches the password in the database? Please correct my
> > understanding on the following process flow:
> 
> Here's an example with radpwtst. Note that CHAP does not need return
> Access-Challenge. CHAP authentication takes only an Access-Request with
> Access-Accept or Access-Reject as return message.
> 
> ~/radiator/Radiator-4.9$ ./radpwtst -trace 4 -noacct -chap -user mikem
> -password fred
> Wed Nov 23 21:13:16 2011: DEBUG: Reading dictionary file './dictionary'
> sending Access-Request...
> Wed Nov 23 21:13:16 2011: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1645 ....
> Code:       Access-Request
> Identifier: 46
> Authentic:  "<230><209>Z" <174><13>!~<19>R<213><159><194>g
> Attributes:
> 	User-Name = "mikem"
> 	Service-Type = Framed-User
> 	NAS-IP-Address = 203.63.154.1
> 	NAS-Identifier = "203.63.154.1"
> 	NAS-Port = 1234
> 	Called-Station-Id = "123456789"
> 	Calling-Station-Id = "987654321"
> 	NAS-Port-Type = Async
> 	CHAP-Password =
> 5S<170><235><146><30><135><252><190><135><244>.cx<249><173>~
> 	CHAP-Challenge = 1234567890123456
> 
> Wed Nov 23 21:13:16 2011: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1645 ....
> Code:       Access-Accept
> Identifier: 46
> Authentic:
> <223><19><224><127>b<192><220><243><156><17><7><25><179><157><147><24>
> Attributes:
> 
> OK
> 
> > [1] End user submits the username and password via CHAP.
> > [2] Upon hitting the Radiator with the CHAP-Password attribute, it will
> > respond with Access-Challenge (exit 3).
> > [3] Perform challenge-response and decide whether the Radiator will
> > Access-Accept or Access-Reject.
> >  
> > My question is, between items [2] and [3], how does Radiator checks and
> > verifies the password of the username from its database? Isn't it that
> > Radiator should check first its database for the username's password
> > during step [2] or before step [3]?
> 
> When Radiator receives the password in step [2], it will lookup the
> plain text password using the username as key. With the password
> Radiator can calculate its own CHAP-Password value using CHAP-Challenge.
> See how radpwtst creates the two CHAP related attributes and
> http://tools.ietf.org/html/rfc2865#section-5.3 for the attribute
> definitions.
> 
> Once Radiator has its own value for CHAP-Password it can compare it to
> the received CHAP-Password and make immediate pass/fail decision without
> challenging the client.
> 
> > Please advice as I am confused. I am actually using AuthBy EXTERNAL and
> > executing an external script to check an external API for the user's
> > password.
> 
> See how radpwtst and Radius/AuthGeneric.pm and check_chap function
> calculate the values. That should clarify how CHAP-Password and
> CHAP-Challenge work.
> 
> Thanks!
> Heikki
> 
> 
> > Thank you in advance.
> > 
> > 
> > _______________________________________________
> > radiator mailing list
> > radiator at open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> -- 
> Heikki Vatiainen <hvn at open.com.au>
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111125/ebca3068/attachment.html 


More information about the radiator mailing list