Re: Access Challenge in freeRadius server
Thank you very much Ivan for your detailed response. I will check it and respond you. Regards, Dhandapani Ivan Kalik wrote: > >> Not sure how ssh/telnet will handle. > > That depends on your pam radius module. I believe freeradius hosted module > can handle it. Don't know for others. > >> But I assume, other than password it >> may request for additional RSA key generated to access a particular >> machine >> or something similar to that. > > Why? Server already knows it's RSA key. This has nothing to do with user > authentication. > >> Also, does NAS need any installation to support Access-Challenge like >> CHAP? > > It needs pam module that supports it. BTW chap doesn't have > Access-Challenge in the authentication process. Nor mschap. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24048486.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
> Not sure how ssh/telnet will handle. That depends on your pam radius module. I believe freeradius hosted module can handle it. Don't know for others. > But I assume, other than password it > may request for additional RSA key generated to access a particular > machine > or something similar to that. Why? Server already knows it's RSA key. This has nothing to do with user authentication. > Also, does NAS need any installation to support Access-Challenge like > CHAP? It needs pam module that supports it. BTW chap doesn't have Access-Challenge in the authentication process. Nor mschap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Also, does NAS need any installation to support Access-Challenge like CHAP? Regards, Dhandapani Ivan Kalik wrote: > >> And also may I know why it is not advised to support Access Challenge for >> ssh or telnet. > > Nothing to do with what's advisable but with what's available. Will pam > module on ssh/telnet server be able to handle a challenge and know what to > do with it? > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24040267.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Regards, Dhandapani Ivan Kalik wrote: > >> And also may I know why it is not advised to support Access Challenge for >> ssh or telnet. > > Nothing to do with what's advisable but with what's available. Will pam > module on ssh/telnet server be able to handle a challenge and know what to > do with it? > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24035107.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
> And also may I know why it is not advised to support Access Challenge for > ssh or telnet. Nothing to do with what's advisable but with what's available. Will pam module on ssh/telnet server be able to handle a challenge and know what to do with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
Thanks Ivan for the clarification. I am just setting up the tool eapol_test to test it. Thanks. But I am also investigating whether it is possible to achieve Access Challenge with ssh/telnet without using any other tools. Could you please help if you have done it before? And also may I know why it is not advised to support Access Challenge for ssh or telnet. Regards, Dhandapani Ivan Kalik wrote: > >> I am trying to authorize the ssh and telnet login users of my Redhat >> Linux >> machine using freeRadius server. >> >> I am able to test Access-Accept and Access-Reject with right and wrong >> credentials respectively by configuring the file '/etc/pam.d/sshd' with >> entry pam_radius_auth.so. >> >> But I do not know how to achieve and test the Access-Challenge concept. > > Do you need to? ssh and telnet supplicants tend not to use protocols with > challenge-response exchange. > >> I >> mean what type of input will result in Access Challenge (I know it >> happens >> when we provide partial login information but not sure how to achieve >> with >> login in real time)? > > Send an eap request (eapol_test). > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24033950.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access Challenge in freeRadius server
> I am trying to authorize the ssh and telnet login users of my Redhat Linux > machine using freeRadius server. > > I am able to test Access-Accept and Access-Reject with right and wrong > credentials respectively by configuring the file '/etc/pam.d/sshd' with > entry pam_radius_auth.so. > > But I do not know how to achieve and test the Access-Challenge concept. Do you need to? ssh and telnet supplicants tend not to use protocols with challenge-response exchange. > I > mean what type of input will result in Access Challenge (I know it happens > when we provide partial login information but not sure how to achieve with > login in real time)? Send an eap request (eapol_test). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
