[Home server Radius in "always accept mode with mschap"]

Thu, 29 Mar 2012 14:28:27 -0700 

Hello,
As we've got some bad ISPs or maybe because they use other radius than freeradius :-), we would like, when their home server does not work properly (bad response time or completely down), to continue authenticating wimax users on our proxy. (So that users does not get disconnected after their lease / network entry). 


So I wanted to build a "welcome" home server (meaning a home server that 
always say yes whithout checking anything).



I've tried a physical one and also a dedicated virtual server that I use 
either as fallback home server or as secondary home server.



I've successfully been able to send "Access Accept" for any Access 
Request by configuring the following :



authorize {
        preprocess
        auth_log
        chap
        mschap
        unix
        files
               if (!ok) {
                       reject
               }
               else {
                       update control {
                               Auth-Type := Accept
                       }
               }
        expiration
        logintime
        pap
}
....



But then it's not enough, Mschap Attributes are required so that it 
really work (below is "normal" authentication when ISPs home server answer).



on Dec  5 11:37:39 2011 : Debug: Received Access-Accept packet from host 
X.Y.Z.W port 1812, id=98, length=184
Mon Dec  5 11:37:39 2011 : Debug:       MS-CHAP2-Success = 
0x78533d44303235443041393935354646383733384143443137364244433544463336393436373139333937
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Recv-Key = 
0xa0d43ffe6f017d74813ad8d12b35797e
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Send-Key = 
0x5f6a95b54ef1d283134925733845429a
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Encryption-Policy = 
0x00000001
Mon Dec  5 11:37:39 2011 : Debug:       MS-MPPE-Encryption-Types = 
0x00000006

Mon Dec  5 11:37:39 2011 : Debug:       Proxy-State = 0x323233
Mon Dec  5 11:37:39 2011 : Debug: +- entering group post-proxy {...}


As I was not very familiar with MS-CHAP, I've google a little and it 
seems to me that my goal (ie ms chapv2 welcome server without having 
user/passwd of users) is not reachable as the home server MUST have 
users/passwd to generate challenge.



Could you confirm that I'm not wrong so that I will stop looking for 
unfeasible things ?


Many thanks

Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to