Re: [RADIATOR] PAP and CHAP

Fri, 21 Oct 2011 01:36:11 -0700 

On 10/21/2011 11:21 AM, M P wrote:

> May I know how to determine the incoming Access-Request is whether a PAP
> or CHAP? What are the things to consider in CHAP?

You check for the presence of CHAP-Password attribute. Here's an example
showing the difference between PAP and CHAP.

% ./radpwtst -trace 4 -noacct
Fri Oct 21 11:32:49 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Fri Oct 21 11:32:49 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 79
Authentic:  L}!<139><26>/<14>mC<27><229>S"\<<252>
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = Pdr<243><193><25>,<128><198><183>=.<130><211>s$


% ./radpwtst -trace 4 -noacct -chap
Fri Oct 21 11:32:52 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Fri Oct 21 11:32:52 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code:       Access-Request
Identifier: 82
Authentic:  ^<146>+<222><249><213><128>K;<171><148>0<218><241>X<158>
Attributes:
        User-Name = "mikem"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        CHAP-Password =
5S<170><235><146><30><135><252><190><135><244>.cx<249><173>~
        CHAP-Challenge = 1234567890123456


> I am currently using an AuthBy EXTERNAL for PAP with the following
> configuration:
> 
> <Handler Realm=testing>
>     <AuthBy EXTERNAL>
>         RejectEmptyPassword
>         DecryptPassword
>         Command /usr/local/sbin/radiator-auth
>         Fork
>     </AuthBy>
>     RejectHasReason
> </Handler>
> 
> Now, I want the external command to support both PAP and CHAP. Right
> now, PAP works fine already. I'm not sure yet how to extend the support
> for CHAP that will co-exist on the same script as on the current one.

Try extending your external command to watch for CHAP-Password and then
act accordingly for CHAP authentication if the attribute is present.

Thanks!
Heikki


-- 
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to