Hello Heikki, Thank you for your detailed explaination. Regards, > Date: Wed, 23 Nov 2011 21:29:16 +0200 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [RADIATOR] CHAP flow > > On 11/23/2011 11:04 AM, M P wrote: > > > In CHAP, how does Radiator verifies the password submitted by the end > > user matches the password in the database? Please correct my > > understanding on the following process flow: > > Here's an example with radpwtst. Note that CHAP does not need return > Access-Challenge. CHAP authentication takes only an Access-Request with > Access-Accept or Access-Reject as return message. > > ~/radiator/Radiator-4.9$ ./radpwtst -trace 4 -noacct -chap -user mikem > -password fred > Wed Nov 23 21:13:16 2011: DEBUG: Reading dictionary file './dictionary' > sending Access-Request... > Wed Nov 23 21:13:16 2011: DEBUG: Packet dump: > *** Sending to 127.0.0.1 port 1645 .... > Code: Access-Request > Identifier: 46 > Authentic: "<230><209>Z" <174><13>!~<19>R<213><159><194>g > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 203.63.154.1 > NAS-Identifier = "203.63.154.1" > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > CHAP-Password = > 5S<170><235><146><30><135><252><190><135><244>.cx<249><173>~ > CHAP-Challenge = 1234567890123456 > > Wed Nov 23 21:13:16 2011: DEBUG: Packet dump: > *** Received from 127.0.0.1 port 1645 .... > Code: Access-Accept > Identifier: 46 > Authentic: > <223><19><224><127>b<192><220><243><156><17><7><25><179><157><147><24> > Attributes: > > OK > > > [1] End user submits the username and password via CHAP. > > [2] Upon hitting the Radiator with the CHAP-Password attribute, it will > > respond with Access-Challenge (exit 3). > > [3] Perform challenge-response and decide whether the Radiator will > > Access-Accept or Access-Reject. > > > > My question is, between items [2] and [3], how does Radiator checks and > > verifies the password of the username from its database? Isn't it that > > Radiator should check first its database for the username's password > > during step [2] or before step [3]? > > When Radiator receives the password in step [2], it will lookup the > plain text password using the username as key. With the password > Radiator can calculate its own CHAP-Password value using CHAP-Challenge. > See how radpwtst creates the two CHAP related attributes and > http://tools.ietf.org/html/rfc2865#section-5.3 for the attribute > definitions. > > Once Radiator has its own value for CHAP-Password it can compare it to > the received CHAP-Password and make immediate pass/fail decision without > challenging the client. > > > Please advice as I am confused. I am actually using AuthBy EXTERNAL and > > executing an external script to check an external API for the user's > > password. > > See how radpwtst and Radius/AuthGeneric.pm and check_chap function > calculate the values. That should clarify how CHAP-Password and > CHAP-Challenge work. > > Thanks! > Heikki > > > > Thank you in advance. > > > > > > _______________________________________________ > > radiator mailing list > > [email protected] > > http://www.open.com.au/mailman/listinfo/radiator > > > -- > Heikki Vatiainen <[email protected]> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc.
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
