[RADIATOR] CHAP flow
Heikki Vatiainen
hvn at open.com.au
Sun Nov 27 13:55:49 CST 2011
On 11/26/2011 05:19 AM, M P wrote:
> Since in my case that I am getting the password from an external API via
> an AuthBy EXTERNAL script, does it mean that I have to do the following
> step s below upon receiving the user's Access-Request?
>
> [1] The external script will query the external API server and get the
> user's password;
Yes.
> [2] The script will then convert the password received into a
> CHAP-Password format (e.g. CHAP ID + MD5SUM of CHAP ID + password +
> CHAP-Challenge);
Yes. Just to check what is hashed with MD5: CHAP ID + MD5SUM of (CHAP ID
+ password + CHAP-Challenge)
> [3] Compare the CHAP-Password received from the user's Access-Request vs
> the CHAP-Password that was converted as per item [2];
Yes.
The human readable format Radiator uses for binary attribute values
comes AttrVal.pm pclean function. You need to duplicate that format in
your script to get the value calculated in [2] to match what AuthBy
EXTERNAL gets for its input. So this format is output from pclean function:
CHAP-Password = 5S<170><235><146><30><135><252><190><135><244>.cx<249><173>~
> [4] Whatever the result of item [3], my script will then do an "exit 0"
> or "exit 1".
Yes.
> Please advice. Thank you very much.
I think you got the steps correct.
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list