Re: Access Challenge in freeRadius server
Thank you very much Ivan for your detailed response. I will check it and respond you. Regards, Dhandapani Ivan Kalik wrote: > >> Not sure how ssh/telnet will handle. > > That depends on your pam radius module. I believe freeradius hosted module > can handle it. Don't know for others. > >> But I assume, other than password it >> may request for additional RSA key generated to access a particular >> machine >> or something similar to that. > > Why? Server already knows it's RSA key. This has nothing to do with user > authentication. > >> Also, does NAS need any installation to support Access-Challenge like >> CHAP? > > It needs pam module that supports it. BTW chap doesn't have > Access-Challenge in the authentication process. Nor mschap. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24048486.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
> Not sure how ssh/telnet will handle. That depends on your pam radius module. I believe freeradius hosted module can handle it. Don't know for others. > But I assume, other than password it > may request for additional RSA key generated to access a particular > machine > or something similar to that. Why? Server already knows it's RSA key. This has nothing to do with user authentication. > Also, does NAS need any installation to support Access-Challenge like > CHAP? It needs pam module that supports it. BTW chap doesn't have Access-Challenge in the authentication process. Nor mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Also, does NAS need any installation to support Access-Challenge like CHAP? Regards, Dhandapani Ivan Kalik wrote: > >> And also may I know why it is not advised to support Access Challenge for >> ssh or telnet. > > Nothing to do with what's advisable but with what's available. Will pam > module on ssh/telnet server be able to handle a challenge and know what to > do with it? > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24040267.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Regards, Dhandapani Ivan Kalik wrote: > >> And also may I know why it is not advised to support Access Challenge for >> ssh or telnet. > > Nothing to do with what's advisable but with what's available. Will pam > module on ssh/telnet server be able to handle a challenge and know what to > do with it? > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24035107.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
> And also may I know why it is not advised to support Access Challenge for > ssh or telnet. Nothing to do with what's advisable but with what's available. Will pam module on ssh/telnet server be able to handle a challenge and know what to do with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan for the clarification. I am just setting up the tool eapol_test to test it. Thanks. But I am also investigating whether it is possible to achieve Access Challenge with ssh/telnet without using any other tools. Could you please help if you have done it before? And also may I know why it is not advised to support Access Challenge for ssh or telnet. Regards, Dhandapani Ivan Kalik wrote: > >> I am trying to authorize the ssh and telnet login users of my Redhat >> Linux >> machine using freeRadius server. >> >> I am able to test Access-Accept and Access-Reject with right and wrong >> credentials respectively by configuring the file '/etc/pam.d/sshd' with >> entry pam_radius_auth.so. >> >> But I do not know how to achieve and test the Access-Challenge concept. > > Do you need to? ssh and telnet supplicants tend not to use protocols with > challenge-response exchange. > >> I >> mean what type of input will result in Access Challenge (I know it >> happens >> when we provide partial login information but not sure how to achieve >> with >> login in real time)? > > Send an eap request (eapol_test). > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24033950.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
> I am trying to authorize the ssh and telnet login users of my Redhat Linux > machine using freeRadius server. > > I am able to test Access-Accept and Access-Reject with right and wrong > credentials respectively by configuring the file '/etc/pam.d/sshd' with > entry pam_radius_auth.so. > > But I do not know how to achieve and test the Access-Challenge concept. Do you need to? ssh and telnet supplicants tend not to use protocols with challenge-response exchange. > I > mean what type of input will result in Access Challenge (I know it happens > when we provide partial login information but not sure how to achieve with > login in real time)? Send an eap request (eapol_test). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access Challenge in freeRadius server
Hi, I am new to freeRadius server. I am trying to authorize the ssh and telnet login users of my Redhat Linux machine using freeRadius server. I am able to test Access-Accept and Access-Reject with right and wrong credentials respectively by configuring the file '/etc/pam.d/sshd' with entry pam_radius_auth.so. But I do not know how to achieve and test the Access-Challenge concept. I mean what type of input will result in Access Challenge (I know it happens when we provide partial login information but not sure how to achieve with login in real time)? Please help me with some solutions in achieving Access Challenge. Thanks in advance. Regards, Dhandapani -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24025860.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html