[RADIATOR] CHAP and Google Authenticator

dave at carrierip.net dave at carrierip.net
Tue Mar 8 16:58:45 UTC 2022

Hi folks!


I have an issue. We have things working with Google Authenticator such that
a user can supply:




as their password, where "code" is a rolling code from Google Authenticator,
and the logic works. "password" is checked against the database and "code"
is checked as TOTP.


But now we want to add MS-CHAP v2 support, since apparently some Android
devices won't work without it. But CHAP doesn't transmit via clear text the
way PAP does. The only way I can imagine this working is to totally redo the
plumbing to something like this:


1.	User still enters "password:code"
2.	CHAP at the client uses the NAS-supplied challenge to hash that to
"abcdefghijklmnopqrstuvwxyz" and sends it to Radiator
3.	Radiator doesn't try to parse this anymore
4.	Radiator fetches the user's password from the database and
determines the current TOTP for that user and builds its own
"server_password:server_code" string
5.	Radiator uses the previously-shared challenge to hash that string to
6.	If "abcdefghijklmnopqrstuvwxyz" =
"server_abcdefghijklmnopqrstuvwxyz", then Accept; else, Reject


So my questions are:


1.	Am I getting this right?
2.	How have other people solved this problem?
3.	Any tips on the best way to implement this in Radiator?
4.	Do I need to also be concerned that the Google Auth Secrets of users
are also only available to Radiator as hashes?


Thanks in advance!!





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220308/d37333dc/attachment.html>

More information about the radiator mailing list