I have a question regarding the implementation of Digest-MD5 authentication protocol as defined in 'expired' draft "draft-sterman-aaa-sip-00.txt"
As per the everything seems to be perfect other than step-4 in the below
sequence diagram.
User RADIUS RADIUS
Client Server
(NAS)
| | |
|------Connection--------->|Creates a Nonce |
| Setup Request |And sends chal req |
| |to the client/user |
| | |
|<-----Challenge(1)--------| |
| | |
|------Response(2)-------->| |
| |------Access-Request(3)->|
| | |
| |<----Access-Accept(4)----|
| | |
| | |
1. digest-challenge =1#( realm | nonce | qop-options | stale | maxbuf | charset | algorithm | auth-param )
2. digest-response = 1#( username | realm | nonce | cnonce | nonce-count | qop | digest-uri | response | charset | auth-param )
3. User-Name = "testing" Digest-Response = "817c2768ab351ce3a7675cc5399ef057" Digest-Realm = "\001\007test" Digest-Nonce = "\002\0141069805234" Digest-CNonce = "\010\0141069853396" Digest-Method = "\003\016AUTHENTICATE" Digest-URI = "\004\022tsp/172.16.212.2" Digest-QOP = "\005\006auth" Digest-Algorithm = "\006\nMD5-sess" Digest-Nonce-Count = "\t\n00000001" Digest-User-Name = "\n\016testing"
4. Issue: At step-4, FreeRADIUS Sever send Access-Accept packet to RADIUS Client, without the Digest-Authentication Response.
As per RFC2831: "Using Digest Authentication as a SASL Mechanism"
RADIUS Server should send a message formatted as follows: response-auth = "rspauth" "=" response-value
where response-value is calculated as above, using the values sent in step two, except that if qop is "auth", then A2 is
A2 = { ":", digest-uri-value }
and
A1 = { H( { username-value, ":", realm-value, ":", passwd } ), ":",
nonce-value, ":", cnonce-value } response-value = HEX( KD ( HEX(H(A1)),
{ nonce-value, ":" nc-value, ":",
cnonce-value, ":", qop-value, ":",
HEX(H(A2)) }))Question: 1. Hope my understanding of the flow of messages/data is correct. If not please correct me. 2. If the above flow is correct, is there any plans to make the Digest-Md5 authentication complaint to rfc2831?
Hope I was able to clearly present my doubt.
Thanks, Shoujit
From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Freeradius-Users digest, Vol 1 #2588 - 17 msgs Date: Wed, 03 Dec 2003 21:24:02 +0100
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]To subscribe or unsubscribe via the World Wide Web, visit
http://lists.cistron.nl/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]You can reach the person managing the list at
[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Freeradius and Alteon Problems (Alan DeKok)
2. Re: question about log_badlogins (Guy Fraser)
3. Re: Freeradius-0.9.3 and chap (Leonard Childers)
4. Re: Freeradius-0.9.3 and chap (Alan DeKok)
5. Re: Freeradius and Alteon Problems (Victor Mira)
6. Re: Freeradius-0.9.3 and chap (Leonard Childers)
7. Re: Freeradius-Users -- confirmation of subscription -- request 591668 (Christophe GABORET)
8. Re: Help with RLM MYSQL (Bill Campbell)
9. MySQL with FreeRadius (rlm_sql_mysql driver problem) (Michael Shanafelt)
10. Re: MySQL with FreeRadius (rlm_sql_mysql driver problem) (Breuer Nicolas - BelCenter.com)
11. Re: Freeradius-0.9.3 and chap (Alan DeKok)
12. Re: filtering attributes in proxy (Alan DeKok)
13. Re: Freeradius-0.9.3 and chap (Leonard Childers)
14. Re: Freeradius-0.9.3 and chap (Alan DeKok)
15. Re: Freeradius-0.9.3 and chap (Leonard Childers)
16. Re: Freeradius-0.9.3 and chap (Michael Griego)
17. Re: Freeradius-0.9.3 and chap (Alan DeKok)
--__--__--
Message: 1 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius and Alteon Problems Date: Wed, 03 Dec 2003 11:26:39 -0500 Reply-To: [EMAIL PROTECTED]
Victor Mira <[EMAIL PROTECTED]> wrote:
> Yes, that's what I also deduced. My problem is that I really don't
> know how to tell the Radius server to send that info to the NAS. I tried to
> put in the nastype file, the type "alteon", but it does not seem to work.
<sigh> Go read the 'dictionary.alteon' file for attributes you might want to use, and then put them into the 'users' file.
If you don't know how any of the RADIUS stuff works, I'd really suggest buying the RADIUS book.
Alan DeKok.
--__--__--
Message: 2 Date: Wed, 03 Dec 2003 09:37:07 -0700 From: Guy Fraser <[EMAIL PROTECTED]> Organization: The Internet Centre To: [EMAIL PROTECTED] Subject: Re: question about log_badlogins Reply-To: [EMAIL PROTECTED]
What version of FR did you get this from?
Are the usenames in your log file?
alantu wrote:
>Hi all
> when I run the log_badlogins, The result "username" is just a "-" in the db.
>
>
--__--__--
Message: 3 Date: Wed, 3 Dec 2003 11:40:05 -0500 (EST) From: Leonard Childers <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Reply-To: [EMAIL PROTECTED]
I did read FAQ and here is the acct_users line for him.
clhilton Auth-Type += Local, Password == "******"
> Leonard Childers <[EMAIL PROTECTED]> wrote:
> > Tue Dec 2 13:14:23 2003 : Auth: rlm_unix: Attribute "User-Password" is required for authentication. Cannot use "CHAP-Password".
> ...
> > Here is the debug file. I know it has to be something simple that I am
> > overlooking.
>
> The FAQ. Go read it.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--__--__--
Message: 4 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Date: Wed, 03 Dec 2003 11:44:49 -0500 Reply-To: [EMAIL PROTECTED]
Leonard Childers <[EMAIL PROTECTED]> wrote: > I did read FAQ and here is the acct_users line for him. > > clhilton Auth-Type += Local, Password == "******"
WTF? You're trying to authenticate accounting packets?
You're even more confused than I thought.
For the record, that entry in 'acct_users' is not even wrong. And it has nothing at all to do with your problem.
Go read the FAQ *again*. This time, look for "unix" and "chap". There is text there which directly addresses the error you posted to the list. I can't for the life of me see how you missed it.
Alan DeKok.
--__--__--
Message: 5
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Freeradius and Alteon Problems
From: Victor Mira <[EMAIL PROTECTED]>
Date: Wed, 3 Dec 2003 18:15:40 +0100
Reply-To: [EMAIL PROTECTED]
This is a multipart message in MIME format. --=_alternative 005EB96AC1256DF1_= Content-Type: text/plain; charset="US-ASCII"
Thanks Alan, I thought I already tried that. Anyway I'll keep trying.
"Alan DeKok" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/12/2003 17:26 Please respond to freeradius-users
To: [EMAIL PROTECTED]
cc:
Subject: Re: Freeradius and Alteon Problems
Victor Mira <[EMAIL PROTECTED]> wrote: > Yes, that's what I also deduced. My problem is that I really don't > know how to tell the Radius server to send that info to the NAS. I tried to > put in the nastype file, the type "alteon", but it does not seem to work.
<sigh> Go read the 'dictionary.alteon' file for attributes you might want to use, and then put them into the 'users' file.
If you don't know how any of the RADIUS stuff works, I'd really suggest buying the RADIUS book.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--=_alternative 005EB96AC1256DF1_= Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Thanks Alan, I thought I already tried
that. Anyway I'll keep trying.</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>"Alan DeKok" <[EMAIL PROTECTED]></b></font>
<br><font size=1 face="sans-serif">Sent by: [EMAIL PROTECTED]</font>
<p><font size=1 face="sans-serif">03/12/2003 17:26</font>
<br><font size=1 face="sans-serif">Please respond to freeradius-users</font>
<td><font size=1 face="Arial"> </font>
<br><font size=1 face="sans-serif"> To:
[EMAIL PROTECTED]</font>
<br><font size=1 face="sans-serif"> cc:
</font>
<br><font size=1 face="sans-serif"> Subject:
Re: Freeradius and Alteon Problems</font></table>
<br>
<br>
<br><font size=2><tt>Victor Mira <[EMAIL PROTECTED]> wrote:<br>
> Yes, that's what I also deduced. My problem is
that I really don't<br>
> know how to tell the Radius server to send that info to the NAS. I
tried to<br>
> put in the nastype file, the type "alteon", but it does
not seem to work.<br>
<br>
<sigh> Go read the 'dictionary.alteon' file for attributes
you<br>
might want to use, and then put them into the 'users' file.<br>
<br>
If you don't know how any of the RADIUS stuff works, I'd really<br>
suggest buying the RADIUS book.<br>
<br>
Alan DeKok.<br>
<br>
- <br>
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br>
</tt></font>
<br>
--=_alternative 005EB96AC1256DF1_=--
--__--__--
Message: 6 Date: Wed, 3 Dec 2003 12:24:07 -0500 (EST) From: Leonard Childers <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Reply-To: [EMAIL PROTECTED]
Alan,
I must be blind. I can't find it. I am going to www.freeradius.org/faq and the only thing I see is under section 4.4 that pertains to chap.
Sorry.
--__--__--
Message: 7
Date: Wed, 03 Dec 2003 19:04:36 +0100
From: Christophe GABORET <[EMAIL PROTECTED]>
Organization: INT Evry France
To: [EMAIL PROTECTED]
Subject: Re: Freeradius-Users -- confirmation of subscription -- request 591668
Reply-To: [EMAIL PROTECTED]
confirm 591668
--__--__--
Message: 8 Date: Wed, 3 Dec 2003 10:21:26 -0800 From: Bill Campbell <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Help with RLM MYSQL Reply-To: [EMAIL PROTECTED]
On Wed, Dec 03, 2003, Breuer Nicolas - BelCenter.com wrote: > > Hello > > I have a big prob.. > > I would like to use the rlm sql mysql module.. > My os is redhat 9 and i can't install and use this module..
I just ran into this last week when building freeradius under the OpenPKG.org packaging system.
If your mysql headers and libraries aren't in /usr/local/include and /usr/local/lib or similar standard locations or aren't installed at all, you probably have to do a couple of things: <standard input>:19: warning: macro `..' not defined
1. You may need to install the mysql-devel RPM on your RH system if they
headers and libraries aren't there (I'm not very familiar with RH RPM
structures, currently using SuSE, formerly Caldera Linux). 2. You may have to add a couple of options to your configure:
./configure \
--with-mysql-include-dir=path_to_mysql_headers \
--with-mysql-lib-dir=path_to_mysql_libraries \
...The base ./configure script doesn't give the options for mysql or postgresql, and probably some others. I found them by running ``./configure --help'' in the appropriate directories.
Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Systems, Inc. UUCP: camco!bill PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 URL: http://www.celestial.com/
``The who nation is interested that the best use shall be made of these
[new] territories. We want them for the homes of free white people''
-- Abraham Lincoln, Octobe 16, 1854--__--__--
Message: 9 Subject: MySQL with FreeRadius (rlm_sql_mysql driver problem) Date: Wed, 3 Dec 2003 13:22:14 -0500 From: "Michael Shanafelt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED]
OK, I had my FreeRadius server working fine for Wireless LAN MAC authentication using the clients and users text files.
My next step was to setup a MySQL database that would store the usernames and groups rather than having the text file. I followed the directions in Hassell's RADIUS book and everything was successful until I issued the radiusd -x -x command to start the server.
Now I'm getting an error stating: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Radiusd.conf[14]: sql: Module instantiation failed.
My limited knowledge tells me that the rlm_sql_mysql driver isn't installed. Is this correct? How can I fix it?
Thanks, Mike
--__--__--
Message: 10 From: "Breuer Nicolas - BelCenter.com" <[EMAIL PROTECTED]> Organization: BELCENTER SPRL To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 19:30:43 +0100 Subject: Re: MySQL with FreeRadius (rlm_sql_mysql driver problem) Reply-To: [EMAIL PROTECTED]
same problem..
On 3 Dec 2003 at 13:22, Michael Shanafelt wrote:
> OK, I had my FreeRadius server working fine for Wireless LAN MAC > authentication using the clients and users text files. > > My next step was to setup a MySQL database that would store the > usernames and groups rather than having the text file. I followed the > directions in Hassell's RADIUS book and everything was successful > until I issued the radiusd -x -x command to start the server. > > Now I'm getting an error stating: > rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found > rlm_sql (sql): Make sure it (and all its dependent libraries!) are in > the search path of your system's ld. Radiusd.conf[14]: sql: Module > instantiation failed. > > My limited knowledge tells me that the rlm_sql_mysql driver isn't > installed. Is this correct? How can I fix it? > > Thanks, > Mike > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
BREUER NICOLAS Content & Marketing Manager
** BELCENTER ISP & PORTALS ** Avenue Henri Conscience, 94 B -1140 Bruxelles
** HelpDesk : 0902/40.120 ** T=E9l. :+32 2 243 0 243 Fax :+32 2 243 0 244
E Mail : [EMAIL PROTECTED]
http://www.BelCenter.com | http://www.BelCenter.net http://www.LuxCenter.net | http://www.BulkSMS.be
--__--__--
Message: 11 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Date: Wed, 03 Dec 2003 14:19:15 -0500 Reply-To: [EMAIL PROTECTED]
Leonard Childers <[EMAIL PROTECTED]> wrote:
> I must be blind. I can't find it. I am going to www.freeradius.org/faq and
> the only thing I see is under section 4.4 that pertains to chap.
Yes... what part of it is unclear?
You have the RADIUS server set up to authenticate against /etc/passwd, and the RADIUS request contains a CHAP password. This won't work. This will never work. Ever.
See the list archives, see the FAQ.
Alan DeKok.
--__--__--
Message: 12 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: filtering attributes in proxy Date: Wed, 03 Dec 2003 14:20:11 -0500 Reply-To: [EMAIL PROTECTED]
"denz" <[EMAIL PROTECTED]> wrote: > I need to remove the attribute > Calling-Station-Id = xxx > from the requests before passing it to the remote radius server.
Use rlm_attr_filter in pre-proxy.
> And while doing that I need to run some script and put those > Calling-station-id to a DB. Can we achieve this.
Yes. Use rlm_exec in pre-proxy, before rlm_attr_filter.
Alan DeKok.
--__--__--
Message: 13 Date: Wed, 3 Dec 2003 14:50:16 -0500 (EST) From: Leonard Childers <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Reply-To: [EMAIL PROTECTED]
I guess I have misunderstood everything. I am running cistron radius and it can do both. I have some users in the user file and the rest on the system. We have 10 different nas that verify thru cistron and some only work with chap and the other use pap.
Thanks for your help.
--__--__--
Message: 14 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Cc: Leonard Childers <[EMAIL PROTECTED]> Date: Wed, 03 Dec 2003 14:58:26 -0500 Reply-To: [EMAIL PROTECTED]
Leonard Childers <[EMAIL PROTECTED]> wrote: > I guess I have misunderstood everything. I am running cistron radius
Then you're even ruder than I thought. You're asking questions on the FreeRADIUS list. See the list name? It says FREERADIUS. It doesn't say CISTRON.
I'm appalled at your behaviour.
> it can do both. I have some users in the user file and the rest on the > system. We have 10 different nas that verify thru cistron and some only > work with chap and the other use pap.
But NOTHING can do CHAP authentication against /etc/passwd. The whole system was designed to make that impossible.
My suggestion is for you to go away, and never to post another message to this list. You've demonstrated a total inability to read or understand the simplest concepts.
Alan DeKok.
--__--__--
Message: 15 Date: Wed, 3 Dec 2003 15:07:28 -0500 (EST) From: Leonard Childers <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Reply-To: [EMAIL PROTECTED]
Alan,
You misunderstood. I am trying to get freeradius running. I am currently using cistron with it authenticating using both the user file and the password file. And I am not trying to be rude. If anyone is you are. I am just trying to under stand how freeradius works. Now if that offends you them I am sorry and I will not post anymore to the list.
--__--__--
Message: 16 Subject: Re: Freeradius-0.9.3 and chap From: Michael Griego <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Wed, 03 Dec 2003 14:21:53 -0600 Reply-To: [EMAIL PROTECTED]
Leonard,
What *you* are misunderstanding is that there is ABSOLUTELY NO WAY for ANY system (Cistron, FreeRADIUS, or otherwise) to be able to authenticate CHAP passwords with ONLY a standard salted crypt() password, which is what the /etc/passwd systems use. The /etc/passwd passwords are one-way password hashes in a different hashing style than CHAP.
Also, f you think you have your Cistron server authenticating CHAP handshakes against /etc/passwd, you either have some other password helpers you're not telling us about, or you don't understand what you're doing with Cistron either.
Something here doesn't add up, and it's frustrating the list and getting you no help.
--
--Mike
----------------------------------- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas
--__--__--
Message: 17 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: Freeradius-0.9.3 and chap Date: Wed, 03 Dec 2003 15:23:28 -0500 Reply-To: [EMAIL PROTECTED]
Leonard Childers <[EMAIL PROTECTED]> wrote: > You misunderstood. I am trying to get freeradius running. I am currently > using cistron with it authenticating using both the user file and the > password file. And I am not trying to be rude. If anyone is you are.
Right.
What part of "go away" did you not understand?
> I am just trying to under stand how freeradius works.
No, you're not. You refused to understand me, or believe anything I said.
> Now if that offends you them I am sorry and I will not post anymore > to the list.
It offends me that you ask questions on the list, and then tell me I'm wrong when I answer those questions. It offends me that you ask questions, and then can't follow the simplest instructions I give in my answers. It tells me that you don't want any answers, you just want to cause trouble.
That's offensive to *anyone*. If you're offended that I'm pointing out your rude behaviour, that's your problem.
Alan DeKok.
--__--__--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest
_________________________________________________________________
Browse styles for all ages, from the latest looks to cozy weekend wear at MSN Shopping. And check out the beauty products! http://shopping.msn.com
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
