P B <[EMAIL PROTECTED]> wrote: > I am using freeradius-0.5 on RH7.2. My NAS is sending > an Access Request with User_Name, Chap_Password, > chap_id and Chap_Challenge as attributes. > > The NAS calculates the Chap_Password as: > MD5(chap_id + password + chap_challenge) > where, "+" denotes concatenation.
As per the RFC's, that's what it's supposed to do. > The Chap_Challenge is sent as a separate attribute > (not as the authenticator). That should be fine. > If I use a chap_challenge of 16 octets then everything > is OK, but if I use any other size (24 for instance) > then the authentication always fails and "Incorrect > Password" is logged in the radius log-file. My question is why and how are you changing the length of the CHAP-Challenge? If I use 'radclient', I can send a packet like: User-Name = "bob" CHAP-Challenge = "afffffffffffffffffffffffffffffffffffffffa" CHAP-Password = "bob" # encrypted, of course And it authenticates fine. > Does freeradius accept CHAP challenge of only 16 > octets? Is this some configurable parameter? FreeRADIUS has *no* code in it which depends on the length of the CHAP-Challenge. If there isn't a CHAP-Challenge in the packet, then it's taken from the request authenticator, and MUST be 16 octets. The CHAP-Challenge attribute can be almost any length, and that's the way the 'verify challenge' code works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
