Hi all,
I have a fundamental problem with Chap. How do I give a user a CHAP-Password??
It is a check item I suppose but if I include it as plain text like this in my users
file -
USERNAME CHAP-Password = "0123456789ABCDEF", NAS-IP-Address = "193.129.12.90"
Service-Type = Framed-User,
then I get
Mon Apr 12 16:06:35 1999: DEBUG: Radius::AuthFILE REJECT: Check item CHAP-Passwo
rd value '0123456789ABCDEF' does not match '�J.c_o++^+?_o?-i]' in request
If I drop the CHAP-Password from the check items like this -
USERNAME NAS-IP-Address = "193.129.12.90"
Service-Type = Framed-User,
then I get an Accept from the server. Some comments on this situation -
1. The request MUST contain either a User-Password or a CHAP-Password but
Radiator can clearly be configured not to require either. This arguably gives extra
flexibility but at the potential cost of less security.
2. The Accept described above is bogus. RFC 2138 says
"The RADIUS server looks up a password based on the User-Name,
encrypts the challenge using MD5 on the CHAP ID octet, that password,
and the CHAP challenge (from the CHAP-Challenge attribute if present,
otherwise from the Request Authenticator), and compares that result
to the CHAP-Password. If they match, the server sends back an
Access-Accept, otherwise it sends back an Access-Reject."
Since in this case the server did not know the Password then it could not possibly
have
done the comparison described in the RFC. Surely it should have rejected this request?
Perhaps I should re-phrase the question - How do I give a user a CHAP-Password
which I know will be verified by the server??
thanks in advance
Arnie
===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
