Re: (RADIATOR) Chap-Password - How??

[Arnie Roberts]

Mike said
>Its the NAS that decides whether to do PAP or CHAP. Radiator just takes what
>its given and checks against User-Password in the user entry

Sorry - my mistake. I assumed Chap-Password was a separate configurable
item. I've re-tested using your explanation and now the server accepts and rejects
correctly.

thanks very much

Stuart said
>...that is what the docs suggest to me.

No I hadn't picked that up. Thanks

Arnie


===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Chap-Password - How??

[Stuart Henderson]

> I have a fundamental problem with Chap. How do I give a 
> user a CHAP-Password?? It is a check item I suppose but if 
> I include it as plain text like this in my users file -
> 
> USERNAME CHAP-Password = "0123456789ABCDEF", 
> NAS-IP-Address = "193.129.12.90"Service-Type = Framed-User,

Have you tried just user-password = "foo"? By checking CHAP-password
directly I think you are bypassing Radiator's chap code. I haven't tried
it but that is what the docs suggest to me.

===
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) Chap-Password - How??

[Mike McCauley]

Hi Arnie,

On Apr 13, 10:30am, Arnie Roberts wrote:
> Subject: (RADIATOR) Chap-Password - How??
> Hi all,
>
> I have a fundamental problem with Chap. How do I give a user a
CHAP-Password??
> It is a check item I suppose but if I include it as plain text like this in
my users file -
>
> USERNAME CHAP-Password = "0123456789ABCDEF", NAS-IP-Address = "193.129.12.90"
>  Service-Type = Framed-User,

No, you should set it up like this:

USERNAME User-Password = "0123456789ABCDEF", NAS-IP-Address = "193.129.12.90"
  Service-Type = Framed-User,

For PAP auths, Radiator will compare the incoming plaintext password (after
decrypting) with the correct User-Password from the users entry.

For CHAP auths, Radiator will transform the correct plaintext from
User-Password and compare the trasnformed version with the incoming
CHAP-Password.

Its the NAS that decides whether to do PAP or CHAP. Radiator just takes what
its given and checks against User-Password in the user entry.


>
> then I get
>
> Mon Apr 12 16:06:35 1999: DEBUG: Radius::AuthFILE REJECT: Check item
CHAP-Passwo
> rd value '0123456789ABCDEF' does not match 'J.c_o++^+?_o?-i]' in request
>
> If I drop the CHAP-Password from the check items like this -
>
> USERNAME NAS-IP-Address = "193.129.12.90"
>  Service-Type = Framed-User,
>
> then I get an Accept from the server. Some comments on this situation -
Thats because you have not specified to check the password.

>
> 1. The request MUST contain either a User-Password or a CHAP-Password but
> Radiator can clearly be configured not to require either. This arguably gives
extra
> flexibility but at the potential cost of less security.
True.

>
> 2. The Accept described above is bogus. RFC 2138 says
>
>"The RADIUS server looks up a password based on the User-Name,
>encrypts the challenge using MD5 on the CHAP ID octet, that password,
>and the CHAP challenge (from the CHAP-Challenge attribute if present,
>otherwise from the Request Authenticator), and compares that result
>to the CHAP-Password.  If they match, the server sends back an
>Access-Accept, otherwise it sends back an Access-Reject."
>
> Since in this case the server did not know the Password then it could not
possibly have
> done the comparison described in the RFC. Surely it should have rejected this
request?
>
> Perhaps I should re-phrase the question - How do I give a user a
CHAP-Password
> which I know will be verified by the server??
See above.

Hope that helps.

Cheers.


-- 
Mike McCauley   [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
Phone +61 3 9598-0985   Fax   +61 3 9598-0955

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, external, etc etc on Unix, Win95/8, NT, Rhapsody
ÿ
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.