[RADIATOR] CHAP flow

Heikki Vatiainen hvn at open.com.au
Sun Nov 27 14:01:22 CST 2011


On 11/26/2011 05:30 AM, M P wrote:

> As per my previous e-mail below, is it possible instead to pass the
> password I received from the external API as stated on item [1] to the
> built-in "processor" that the Radiator has instead of performing the
> item[2], then let Radiator do the rest? Meaning, my script will just
> fetch the password from an external API for Radiator to process it and
> let Radiator do the rest of the remaining processes.

Unfortunately that is not possible. You can not pass anything other than
the return value and reply attributes back to Radiator. So if you are
using AuthBy EXTERNAL, you need to do the calculation, formatting and
checking completely in your script.

If your external program was done with Perl, you could consider for
example, AuthBy INTERNAL and AuthHook. You could then call functions
such as Digest::MD5 and Radiator's AttrVal.pm pclean to mimic what
Radiator does when it runs CHAP check. It might even be possible to call
CHAP checking function directly from the hook.

Thanks!
Heikki

> Please advice. Thank you.
> 
> 
> ------------------------------------------------------------------------
> From: antmtp at hotmail.com
> To: hvn at open.com.au
> Date: Sat, 26 Nov 2011 11:19:15 +0800
> CC: radiator at open.com.au
> Subject: Re: [RADIATOR] CHAP flow
> 
> Hello Heikki,
> 
> I have a follow-up question and I hope this will be last for this topic.
> 
>> > My question is, between items [2] and [3], how does Radiator checks and
>> > verifies the password of the username from its database? Isn't it that
>> > Radiator should check first its database for the username's password
>> > during step [2] or before step [3]?
>>
>> When Radiator receives the password in step [2], it will lookup the
>> plain text password using the username as key. With the password
>> Radiator can calculate its own CHAP-Password value using CHAP-Challenge.
>> See how radpwtst creates the two CHAP related attributes and
>> http://tools.ietf.org/html/rfc2865#section-5.3 for the attribute
>> definitions.
> 
> Since in my case that I am getting the password from an external API via
> an AuthBy EXTERNAL script, does it mean that I have to do the following
> step s below upon receiving the user's Access-Request?
> 
> [1] The external script will query the external API server and get the
> user's password;
> 
> [2] The script will then convert the password received into a
> CHAP-Password format (e.g. CHAP ID + MD5SUM of CHAP ID + password +
> CHAP-Challenge);
> 
> [3] Compare the CHAP-Password received from the user's Access-Request vs
> the CHAP-Password that was converted as per item [2];
> 
> [4] Whatever the result of item [3], my script will then do an "exit 0"
> or "exit 1".
> 
> Please advice. Thank you very much.
> 
> _______________________________________________ radiator mailing list
> radiator at open.com.au http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list