Alan,
Sorry yes I am a little green behind the ears on this topic. However I would
like to get a better understanding.
Attached (this time) is a TXT version of my capture. Sorry last time I sent
the ethereal version.
Looking at what the other server does the Challenge data is stored then
another Access-Challenge is sent.
They compare the two strings and then change the DB password. Or at least
that's what I get from this trace.
I am sure this is very non standard however I would like to mirror this
behavior. I was leave to believe that
This is a feature a lot of PAP Radius servers have.
If I have said anything even more stupid please go easy on me, I do learn
fast.
Thanks
Dave
-----Original Message-----
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Monday, February 09, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: Re: PAP Challenge password change
David Lomax <[EMAIL PROTECTED]> wrote:
> Thanks for your help so far. I am trying to find a way to send a
> Challenge back to the client. Are you telling me that the vanilla
> FreeRadius will not allow me to send a Challenge to the user
> When they attempt an Auth ?
What will you challenge the user with? Why? What will you do with the
response to the challenge?
If you don't know the answers to those questions, you're wasting your time
trying to get the server to send challenges.
For the record, the server CAN and DOES issue challenges... when it's
appropriate.
> I have the trace from an Ace Radius server that does have this feature
> and I would like to put it Into the FreeRadius version we are going to
> run.
Do you understand what that packet trace does? So far, it looks like you
don't.
> The Ace Radius does as shown in the attached capture file.
It's not plain-text, so I'm not going to jump through hoops trying to
figure out how to read it.
> If this is
> impossible by amending the DB
> What part of the code should I look at to add it ?
If you can't explain what happens during the packet trace, you won't be
able to change any of the code to do anything useful.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Frame 1 (116 bytes on wire, 116 bytes captured)
Arrival Time: Feb 6, 2004 14:23:24.990000000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 116 bytes
Capture Length: 116 bytes
Ethernet II, Src: 00:a0:35:01:13:9c, Dst: 00:a0:c9:c9:2b:6b
Destination: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b)
Source: 00:a0:35:01:13:9c (Cylink_01:13:9c)
Type: IP (0x0800)
Internet Protocol, Src Addr: 65.163.78.61 (65.163.78.61), Dst Addr: 65.163.78.44
(65.163.78.44)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 102
Identification: 0x2a58 (10840)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 30
Protocol: UDP (0x11)
Header checksum: 0x5280 (correct)
Source: 65.163.78.61 (65.163.78.61)
Destination: 65.163.78.44 (65.163.78.44)
User Datagram Protocol, Src Port: 42245 (42245), Dst Port: radius (1812)
Source port: 42245 (42245)
Destination port: radius (1812)
Length: 82
Checksum: 0x0000 (none)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x4 (4)
Length: 74
Authenticator
Attribute value pairs
t:NAS identifier(32) l:9, Value:"NAME_ME"
t:NAS Port Type(61) l:6, Value:Virtual(5)
t:Calling Station Id(31) l:14, Value:"172.16.8.124"
t:User Name(1) l:7, Value:"test1"
t:User Password(2) l:18, Value:"íá³0Ì\015J0a\004M Ç\033Õ\030"
0000 00 a0 c9 c9 2b 6b 00 a0 35 01 13 9c 08 00 45 00 ....+k..5.....E.
0010 00 66 2a 58 00 00 1e 11 52 80 41 a3 4e 3d 41 a3 .f*X....R.A.N=A.
0020 4e 2c a5 05 07 14 00 52 00 00 01 04 00 4a 9c bc N,.....R.....J..
0030 81 0e 6e 3f 52 99 85 c3 3a 7d 1d a7 70 87 20 09 ..n?R...:}..p. .
0040 4e 41 4d 45 5f 4d 45 3d 06 00 00 00 05 1f 0e 31 NAME_ME=.......1
0050 37 32 2e 31 36 2e 38 2e 31 32 34 01 07 74 65 73 72.16.8.124..tes
0060 74 31 02 12 ed e1 b3 30 cc 0d 4a 30 61 04 4d 20 t1.....0..J0a.M
0070 c7 1b d5 18 ....
Frame 2 (134 bytes on wire, 134 bytes captured)
Arrival Time: Feb 6, 2004 14:23:25.070122000
Time delta from previous packet: 0.080122000 seconds
Time since reference or first frame: 0.080122000 seconds
Frame Number: 2
Packet Length: 134 bytes
Capture Length: 134 bytes
Ethernet II, Src: 00:a0:c9:c9:2b:6b, Dst: 00:01:30:57:28:00
Destination: 00:01:30:57:28:00 (ExtremeN_57:28:00)
Source: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b)
Type: IP (0x0800)
Internet Protocol, Src Addr: 65.163.78.44 (65.163.78.44), Dst Addr: 65.163.78.61
(65.163.78.61)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 120
Identification: 0x0766 (1894)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x1360 (correct)
Source: 65.163.78.44 (65.163.78.44)
Destination: 65.163.78.61 (65.163.78.61)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 42245 (42245)
Source port: radius (1812)
Destination port: 42245 (42245)
Length: 100
Checksum: 0x2514 (correct)
Radius Protocol
Code: Access challenge (11)
Packet identifier: 0x4 (4)
Length: 92
Authenticator
Attribute value pairs
t:Reply Message(18) l:45, Value:"Enter a new PIN having from 4 to 8 digits: "
t:State(24) l:27, Value:534543555249445F4E50494E7C303D3736383734383835373B
0000 00 01 30 57 28 00 00 a0 c9 c9 2b 6b 08 00 45 00 ..0W(.....+k..E.
0010 00 78 07 66 00 00 80 11 13 60 41 a3 4e 2c 41 a3 .x.f.....`A.N,A.
0020 4e 3d 07 14 a5 05 00 64 25 14 0b 04 00 5c b8 68 N=.....d%....\.h
0030 11 7b 84 b4 33 05 f4 85 2b 9f 8a 8e d6 4f 12 2d .{..3...+....O.-
0040 45 6e 74 65 72 20 61 20 6e 65 77 20 50 49 4e 20 Enter a new PIN
0050 68 61 76 69 6e 67 20 66 72 6f 6d 20 34 20 74 6f having from 4 to
0060 20 38 20 64 69 67 69 74 73 3a 20 18 1b 53 45 43 8 digits: ..SEC
0070 55 52 49 44 5f 4e 50 49 4e 7c 30 3d 37 36 38 37 URID_NPIN|0=7687
0080 34 38 38 35 37 3b 48857;
Frame 3 (143 bytes on wire, 143 bytes captured)
Arrival Time: Feb 6, 2004 14:23:32.040771000
Time delta from previous packet: 6.970649000 seconds
Time since reference or first frame: 7.050771000 seconds
Frame Number: 3
Packet Length: 143 bytes
Capture Length: 143 bytes
Ethernet II, Src: 00:a0:35:01:13:9c, Dst: 00:a0:c9:c9:2b:6b
Destination: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b)
Source: 00:a0:35:01:13:9c (Cylink_01:13:9c)
Type: IP (0x0800)
Internet Protocol, Src Addr: 65.163.78.61 (65.163.78.61), Dst Addr: 65.163.78.44
(65.163.78.44)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 129
Identification: 0x2a62 (10850)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 30
Protocol: UDP (0x11)
Header checksum: 0x525b (correct)
Source: 65.163.78.61 (65.163.78.61)
Destination: 65.163.78.44 (65.163.78.44)
User Datagram Protocol, Src Port: 42245 (42245), Dst Port: radius (1812)
Source port: 42245 (42245)
Destination port: radius (1812)
Length: 109
Checksum: 0x0000 (none)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x5 (5)
Length: 101
Authenticator
Attribute value pairs
t:NAS identifier(32) l:9, Value:"NAME_ME"
t:NAS Port Type(61) l:6, Value:Virtual(5)
t:Calling Station Id(31) l:14, Value:"172.16.8.124"
t:State(24) l:27, Value:534543555249445F4E50494E7C303D3736383734383835373B
t:User Name(1) l:7, Value:"test1"
t:User Password(2) l:18, Value:"+µ&æ\005ÔOWY\025\021—ôŸë"
0000 00 a0 c9 c9 2b 6b 00 a0 35 01 13 9c 08 00 45 00 ....+k..5.....E.
0010 00 81 2a 62 00 00 1e 11 52 5b 41 a3 4e 3d 41 a3 ..*b....R[A.N=A.
0020 4e 2c a5 05 07 14 00 6d 00 00 01 05 00 65 2f 07 N,.....m.....e/.
0030 a9 b6 b5 ba d8 29 4d e0 cb c9 96 f1 af 7a 20 09 .....)M......z .
0040 4e 41 4d 45 5f 4d 45 3d 06 00 00 00 05 1f 0e 31 NAME_ME=.......1
0050 37 32 2e 31 36 2e 38 2e 31 32 34 18 1b 53 45 43 72.16.8.124..SEC
0060 55 52 49 44 5f 4e 50 49 4e 7c 30 3d 37 36 38 37 URID_NPIN|0=7687
0070 34 38 38 35 37 3b 01 07 74 65 73 74 31 02 12 2b 48857;..test1..+
0080 b5 26 e6 05 d4 4f 57 59 15 11 97 f4 9f ad eb .&...OWY.......
Frame 4 (140 bytes on wire, 140 bytes captured)
Arrival Time: Feb 6, 2004 14:23:32.060801000
Time delta from previous packet: 0.020030000 seconds
Time since reference or first frame: 7.070801000 seconds
Frame Number: 4
Packet Length: 140 bytes
Capture Length: 140 bytes
Ethernet II, Src: 00:a0:c9:c9:2b:6b, Dst: 00:01:30:57:28:00
Destination: 00:01:30:57:28:00 (ExtremeN_57:28:00)
Source: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b)
Type: IP (0x0800)
Internet Protocol, Src Addr: 65.163.78.44 (65.163.78.44), Dst Addr: 65.163.78.61
(65.163.78.61)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 126
Identification: 0x0771 (1905)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x134f (correct)
Source: 65.163.78.44 (65.163.78.44)
Destination: 65.163.78.61 (65.163.78.61)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 42245 (42245)
Source port: radius (1812)
Destination port: 42245 (42245)
Length: 106
Checksum: 0x8637 (correct)
Radius Protocol
Code: Access challenge (11)
Packet identifier: 0x5 (5)
Length: 98
Authenticator
Attribute value pairs
t:Reply Message(18) l:51, Value:"PIN Accepted.\015\012Please enter PIN again
to confirm:"
t:State(24) l:27, Value:534543555249445F574149547C303D3736383734383835373B
0000 00 01 30 57 28 00 00 a0 c9 c9 2b 6b 08 00 45 00 ..0W(.....+k..E.
0010 00 7e 07 71 00 00 80 11 13 4f 41 a3 4e 2c 41 a3 .~.q.....OA.N,A.
0020 4e 3d 07 14 a5 05 00 6a 86 37 0b 05 00 62 d5 36 N=.....j.7...b.6
0030 41 04 88 a9 ff 11 05 ef df 7c 85 11 98 8d 12 33 A........|.....3
0040 50 49 4e 20 41 63 63 65 70 74 65 64 2e 0d 0a 50 PIN Accepted...P
0050 6c 65 61 73 65 20 65 6e 74 65 72 20 50 49 4e 20 lease enter PIN
0060 61 67 61 69 6e 20 74 6f 20 63 6f 6e 66 69 72 6d again to confirm
0070 3a 18 1b 53 45 43 55 52 49 44 5f 57 41 49 54 7c :..SECURID_WAIT|
0080 30 3d 37 36 38 37 34 38 38 35 37 3b 0=768748857;
Frame 5 (143 bytes on wire, 143 bytes captured)
Arrival Time: Feb 6, 2004 14:23:35.936722000
Time delta from previous packet: 3.875921000 seconds
Time since reference or first frame: 10.946722000 seconds
Frame Number: 5
Packet Length: 143 bytes
Capture Length: 143 bytes
Ethernet II, Src: 00:a0:35:01:13:9c, Dst: 00:a0:c9:c9:2b:6b
Destination: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b)
Source: 00:a0:35:01:13:9c (Cylink_01:13:9c)
Type: IP (0x0800)
Internet Protocol, Src Addr: 65.163.78.61 (65.163.78.61), Dst Addr: 65.163.78.44
(65.163.78.44)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 129
Identification: 0x2a69 (10857)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 30
Protocol: UDP (0x11)
Header checksum: 0x5254 (correct)
Source: 65.163.78.61 (65.163.78.61)
Destination: 65.163.78.44 (65.163.78.44)
User Datagram Protocol, Src Port: 42245 (42245), Dst Port: radius (1812)
Source port: 42245 (42245)
Destination port: radius (1812)
Length: 109
Checksum: 0x0000 (none)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x6 (6)
Length: 101
Authenticator
Attribute value pairs
t:NAS identifier(32) l:9, Value:"NAME_ME"
t:NAS Port Type(61) l:6, Value:Virtual(5)
t:Calling Station Id(31) l:14, Value:"172.16.8.124"
t:State(24) l:27, Value:534543555249445F574149547C303D3736383734383835373B
t:User Name(1) l:7, Value:"test1"
t:User Password(2) l:18, Value:"\003ÿø\230úËpÿ\012ÆÜf¶W\012}"
0000 00 a0 c9 c9 2b 6b 00 a0 35 01 13 9c 08 00 45 00 ....+k..5.....E.
0010 00 81 2a 69 00 00 1e 11 52 54 41 a3 4e 3d 41 a3 ..*i....RTA.N=A.
0020 4e 2c a5 05 07 14 00 6d 00 00 01 06 00 65 a8 dd N,.....m.....e..
0030 52 c6 1f f6 72 9f 28 79 7d 14 3e f4 04 8f 20 09 R...r.(y}.>... .
0040 4e 41 4d 45 5f 4d 45 3d 06 00 00 00 05 1f 0e 31 NAME_ME=.......1
0050 37 32 2e 31 36 2e 38 2e 31 32 34 18 1b 53 45 43 72.16.8.124..SEC
0060 55 52 49 44 5f 57 41 49 54 7c 30 3d 37 36 38 37 URID_WAIT|0=7687
0070 34 38 38 35 37 3b 01 07 74 65 73 74 31 02 12 03 48857;..test1...
0080 ff f8 98 fa cb 70 ff 0a c6 dc 66 b6 57 0a 7d .....p....f.W.}
Frame 6 (96 bytes on wire, 96 bytes captured)
Arrival Time: Feb 6, 2004 14:23:38.019905000
Time delta from previous packet: 2.083183000 seconds
Time since reference or first frame: 13.029905000 seconds
Frame Number: 6
Packet Length: 96 bytes
Capture Length: 96 bytes
Ethernet II, Src: 00:a0:c9:c9:2b:6b, Dst: 00:01:30:57:28:00
Destination: 00:01:30:57:28:00 (ExtremeN_57:28:00)
Source: 00:a0:c9:c9:2b:6b (Intel-Hf_c9:2b:6b)
Type: IP (0x0800)
Internet Protocol, Src Addr: 65.163.78.44 (65.163.78.44), Dst Addr: 65.163.78.61
(65.163.78.61)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 82
Identification: 0x0776 (1910)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x1376 (correct)
Source: 65.163.78.44 (65.163.78.44)
Destination: 65.163.78.61 (65.163.78.61)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 42245 (42245)
Source port: radius (1812)
Destination port: 42245 (42245)
Length: 62
Checksum: 0xda91 (correct)
Radius Protocol
Code: Access Accept (2)
Packet identifier: 0x6 (6)
Length: 54
Authenticator
Attribute value pairs
t:Reply Message(18) l:21, Value:"PASSCODE Accepted\015\012"
t:Session Timeout(27) l:6, Value:86400
t:User Name(1) l:7, Value:"test1"
0000 00 01 30 57 28 00 00 a0 c9 c9 2b 6b 08 00 45 00 ..0W(.....+k..E.
0010 00 52 07 76 00 00 80 11 13 76 41 a3 4e 2c 41 a3 .R.v.....vA.N,A.
0020 4e 3d 07 14 a5 05 00 3e da 91 02 06 00 36 15 b1 N=.....>.....6..
0030 f9 d3 38 43 3b 9c fe 8c 80 08 f8 38 eb 5b 12 15 ..8C;......8.[..
0040 50 41 53 53 43 4f 44 45 20 41 63 63 65 70 74 65 PASSCODE Accepte
0050 64 0d 0a 1b 06 00 01 51 80 01 07 74 65 73 74 31 d......Q...test1
