Hi Arnie,
On Apr 13, 10:30am, Arnie Roberts wrote:
> Subject: (RADIATOR) Chap-Password - How??
> Hi all,
>
> I have a fundamental problem with Chap. How do I give a user a
CHAP-Password??
> It is a check item I suppose but if I include it as plain text like this in
my users file -
>
> USERNAME CHAP-Password = "0123456789ABCDEF", NAS-IP-Address = "193.129.12.90"
> Service-Type = Framed-User,
No, you should set it up like this:
USERNAME User-Password = "0123456789ABCDEF", NAS-IP-Address = "193.129.12.90"
Service-Type = Framed-User,
For PAP auths, Radiator will compare the incoming plaintext password (after
decrypting) with the correct User-Password from the users entry.
For CHAP auths, Radiator will transform the correct plaintext from
User-Password and compare the trasnformed version with the incoming
CHAP-Password.
Its the NAS that decides whether to do PAP or CHAP. Radiator just takes what
its given and checks against User-Password in the user entry.
>
> then I get
>
> Mon Apr 12 16:06:35 1999: DEBUG: Radius::AuthFILE REJECT: Check item
CHAP-Passwo
> rd value '0123456789ABCDEF' does not match 'J.c_o++^+?_o?-i]' in request
>
> If I drop the CHAP-Password from the check items like this -
>
> USERNAME NAS-IP-Address = "193.129.12.90"
> Service-Type = Framed-User,
>
> then I get an Accept from the server. Some comments on this situation -
Thats because you have not specified to check the password.
>
> 1. The request MUST contain either a User-Password or a CHAP-Password but
> Radiator can clearly be configured not to require either. This arguably gives
extra
> flexibility but at the potential cost of less security.
True.
>
> 2. The Accept described above is bogus. RFC 2138 says
>
>"The RADIUS server looks up a password based on the User-Name,
>encrypts the challenge using MD5 on the CHAP ID octet, that password,
>and the CHAP challenge (from the CHAP-Challenge attribute if present,
>otherwise from the Request Authenticator), and compares that result
>to the CHAP-Password. If they match, the server sends back an
>Access-Accept, otherwise it sends back an Access-Reject."
>
> Since in this case the server did not know the Password then it could not
possibly have
> done the comparison described in the RFC. Surely it should have rejected this
request?
>
> Perhaps I should re-phrase the question - How do I give a user a
CHAP-Password
> which I know will be verified by the server??
See above.
Hope that helps.
Cheers.
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, external, etc etc on Unix, Win95/8, NT, Rhapsody
ΓΏ
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.