----- Original Message ----- From: "Simon Bond" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 3:17 PM Subject: Proxying MS-CHAP request to a PAP RADIUS server. 0.9.3
> Hello, > > My overall plan is to authenticate from my Draytek 2600W ADSL router to a RSA ACE/Server which provides one-time passwords using a hardware SecurID keyfob. > > The RSA ACE/Server supports authentication via SecurID (UDP/5500) or via RADIUS, but the RADIUS server only supports PAP and EAP authentication (there is a good reason for this), whilst the Draytek only supports MS-CHAP. Doh! > > I can however authenticate fine from the Draytek 2600 to FreeRadius 0.9.3 which I'm running on a Sun Ultra 5. I'm very pleased with FreeRadius - it's also working very well with Wireless 802.1X / EAP authentication. > > I was hoping to use the Proxy feature of FreeRadius to take the authentication request from the Draytek (MS-CHAP) and pass it on to the RSA ACE/Server (PAP), but when proxying, it would only use the same authentication scheme as sent from the Draytek (i.e. MS-CHAP). > > Is there any way to proxy a request and change the authentiation type at the same time - so take a MS-CHAP request from the Draytek and proxy it on to the RSA ACE/Server as a PAP request?? > The CHAP password is made of a ONEWAY encryption of a challenge and the real password. The NAS sends the challenge and the encypted password to the radiusserver. The only way to check the password is to have it at the radiusserver in cleartext, since it's oneway encyption. The radiusserver will take the cleartext password, add the challenge and also to oneway encryption, then it can compare the encypted result with the encypted password coming from the NAS. One of the reasons for this is to make it impossible for intermediate proxy radiusservers to get the user's password. > > As a complete aside (and not high on my list), I was able to compile 0.9.3 OK, but couldn't compile 1.0.0pre1 at all - failed whilst compiling md4.c. Is this a common fault? I've not spotted anything on the lists about this. > > P.S. The RSA ACE/Server is also running on the Sparc 5. I'm running FreeRadius on UDP/1812 and RSA ACE/Server RADIUS on UDP/1645. > > If this fails, I do know that I can use Funk Proxy because it will take the MS-CHAP RADIUS request and forward that as a SecurID (UDP/5500) request to the ACE/Server. I'd rather use open source software though as I prefer the open development model (and would hope to contribute back one day). > > > Thanks in advance. > > Simon Bond > [EMAIL PROTECTED] > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
