I have a question regarding the implementation of Digest-MD5 authentication
protocol as defined in 'expired' draft draft-sterman-aaa-sip-00.txt
As per the everything seems to be perfect other than step-4 in the below
sequence diagram.
User RADIUSRADIUS
ClientServer
(NAS)
| | |
|--Connection-|Creates a Nonce |
| Setup Request |And sends chal req |
| |to the client/user |
| | |
|-Challenge(1)| |
| | |
|--Response(2)| |
| |--Access-Request(3)-|
| | |
| |Access-Accept(4)|
| | |
| | |
1. digest-challenge =1#( realm | nonce | qop-options
| stale | maxbuf | charset | algorithm | auth-param )
2. digest-response = 1#( username | realm | nonce | cnonce
| nonce-count | qop | digest-uri | response | charset | auth-param )
3. User-Name = testing
Digest-Response = 817c2768ab351ce3a7675cc5399ef057
Digest-Realm = \001\007test
Digest-Nonce = \002\0141069805234
Digest-CNonce = \010\0141069853396
Digest-Method = \003\016AUTHENTICATE
Digest-URI = \004\022tsp/172.16.212.2
Digest-QOP = \005\006auth
Digest-Algorithm = \006\nMD5-sess
Digest-Nonce-Count = \t\n0001
Digest-User-Name = \n\016testing
4. Issue:
At step-4, FreeRADIUS Sever send Access-Accept packet to RADIUS Client,
without the Digest-Authentication Response.
As per RFC2831: Using Digest Authentication as a SASL Mechanism
RADIUS Server should send a message formatted as follows:
response-auth = rspauth = response-value
where response-value is calculated as above, using the values sent in
step two, except that if qop is auth, then A2 is
A2 = { :, digest-uri-value }
and
A1 = { H( { username-value, :, realm-value, :, passwd } ), :,
nonce-value, :, cnonce-value }
response-value = HEX( KD ( HEX(H(A1)),
{ nonce-value, : nc-value, :,
cnonce-value, :, qop-value, :,
HEX(H(A2)) }))
Question:
1. Hope my understanding of the flow of messages/data is correct.
If not please correct me.
2. If the above flow is correct, is there any plans to make the Digest-Md5
authentication complaint to rfc2831?
Hope I was able to clearly present my doubt.
Thanks,
Shoujit
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Freeradius-Users digest, Vol 1 #2588 - 17 msgs
Date: Wed, 03 Dec 2003 21:24:02 +0100
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.cistron.nl/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Freeradius and Alteon Problems (Alan DeKok)
2. Re: question about log_badlogins (Guy Fraser)
3. Re: Freeradius-0.9.3 and chap (Leonard Childers)
4. Re: Freeradius-0.9.3 and chap (Alan DeKok)
5. Re: Freeradius and Alteon Problems (Victor Mira)
6. Re: Freeradius-0.9.3 and chap (Leonard Childers)
7. Re: Freeradius-Users -- confirmation of subscription -- request
591668 (Christophe GABORET)
8. Re: Help with RLM MYSQL (Bill Campbell)
9. MySQL with FreeRadius (rlm_sql_mysql driver problem) (Michael
Shanafelt)
10. Re: MySQL with FreeRadius (rlm_sql_mysql driver problem) (Breuer
Nicolas - BelCenter.com)
11. Re: Freeradius-0.9.3 and chap (Alan DeKok)
12. Re: filtering attributes in proxy (Alan DeKok)
13. Re: Freeradius-0.9.3 and chap (Leonard Childers)
14. Re: Freeradius-0.9.3 and chap (Alan DeKok)
15. Re: Freeradius-0.9.3 and chap (Leonard Childers)
16. Re: Freeradius-0.9.3 and chap (Michael Griego)
17. Re: Freeradius-0.9.3 and chap (Alan DeKok)
--__--__--
Message: 1
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Freeradius and Alteon Problems
Date: Wed, 03 Dec 2003 11:26:39 -0500
Reply-To: [EMAIL PROTECTED]
Victor Mira [EMAIL PROTECTED] wrote:
Yes, that's what I also deduced. My problem is that I really don't
know how to tell the Radius server to send that info to the NAS. I tried
to
put in the
