On 11/23/2011 11:04 AM, M P wrote:
> In CHAP, how does Radiator verifies the password submitted by the end
> user matches the password in the database? Please correct my
> understanding on the following process flow:
Here's an example with radpwtst. Note that CHAP does not need return
Access-Challenge. CHAP authentication takes only an Access-Request with
Access-Accept or Access-Reject as return message.
~/radiator/Radiator-4.9$ ./radpwtst -trace 4 -noacct -chap -user mikem
-password fred
Wed Nov 23 21:13:16 2011: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Wed Nov 23 21:13:16 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1645 ....
Code: Access-Request
Identifier: 46
Authentic: "<230><209>Z" <174><13>!~<19>R<213><159><194>g
Attributes:
User-Name = "mikem"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
CHAP-Password =
5S<170><235><146><30><135><252><190><135><244>.cx<249><173>~
CHAP-Challenge = 1234567890123456
Wed Nov 23 21:13:16 2011: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1645 ....
Code: Access-Accept
Identifier: 46
Authentic:
<223><19><224><127>b<192><220><243><156><17><7><25><179><157><147><24>
Attributes:
OK
> [1] End user submits the username and password via CHAP.
> [2] Upon hitting the Radiator with the CHAP-Password attribute, it will
> respond with Access-Challenge (exit 3).
> [3] Perform challenge-response and decide whether the Radiator will
> Access-Accept or Access-Reject.
>
> My question is, between items [2] and [3], how does Radiator checks and
> verifies the password of the username from its database? Isn't it that
> Radiator should check first its database for the username's password
> during step [2] or before step [3]?
When Radiator receives the password in step [2], it will lookup the
plain text password using the username as key. With the password
Radiator can calculate its own CHAP-Password value using CHAP-Challenge.
See how radpwtst creates the two CHAP related attributes and
http://tools.ietf.org/html/rfc2865#section-5.3 for the attribute
definitions.
Once Radiator has its own value for CHAP-Password it can compare it to
the received CHAP-Password and make immediate pass/fail decision without
challenging the client.
> Please advice as I am confused. I am actually using AuthBy EXTERNAL and
> executing an external script to check an external API for the user's
> password.
See how radpwtst and Radius/AuthGeneric.pm and check_chap function
calculate the values. That should clarify how CHAP-Password and
CHAP-Challenge work.
Thanks!
Heikki
> Thank you in advance.
>
>
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
