CHAP with External Script Prob.

Fri, 09 Nov 2001 12:46:59 -0800 


I am happy to report my previous issues dealing with the external scripts 
are all fixed and working.  I am coming from an XT-Radius background, and 
migrating many of the same scripts over which I am trying to get to work 
with FreeRadius.  Nearly everything is successful except 1 item.  Chap 
authentication.  We are using perl for the auth script, and attached is a 
copy of the CHAP function to see if it matches.  The problem I am having is 
$digest is never eq substr($chap_password,1).  I have confirmed that both 
$ENV{"CHAP_PASSWORD"} and $ENV{"CHAP_CHALLENGE"} do have data.

Any assistance is apprecated.  This exact (well, XT uses different ENV 
names, but otherwise exact) function works perfect in XT Radius, so I am 
assuming there must be something just slightly different about how 
Freeradius handles the chap password and challenge.  Also, if anyone has a 
pre-written script which handles CHAP auth, that would also be useful.


----  snippet of CHAP auth portion of script ----
if ($ENV{"CHAP_PASSWORD"} && $ENV{"CHAP_CHALLENGE"}) {
         $chap_password = pack("H*", $ENV{"CHAP_PASSWORD"});
         $chap_challenge = pack("H*", $ENV{"CHAP_CHALLENGE"});
         $md5 = new MD5;
         $md5->reset;
         $md5->add(substr($chap_password,0,1));
         $md5->add($userinfo[1]);
         $md5->add($chap_challenge);
         $digest = $md5->digest();
         $blehtemp = substr($chap_password,1);
         if ($digest ne substr($chap_password,1)) {
                 # i don't know you.  sod off.
                 $authlogfile = IO::File->new("/var/log/auth.log", "a+")
                 or die "Couldn't open /var/log/auth.log for writing: $!\n";
                 $authlogfile->printf(localtime(time) . ": Error: Incorrect 
password$
                 $authlogfile->close();
                 exit 1003;
         }
}
---- end snippet ----

Note, the $authlogfile line is cut off, just my copy/paste didn't catch the 
end of it, but that is not a problem.  Below this function if it does not 
deny user here, it authenticates it lower in the script.  But what happens 
is the if ($digest ne substr($chap_password,1))  statement is always true; 
therefore, nobody ever gets authenticated.

Thanks in advance,
Nate


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html























					Reply via email to