Chap/Pap Authentication

Alan DeKok aland at deployingradius.com
Fri Jan 18 21:34:18 CET 2013


Joseph Showalter wrote:
> Instead of using Chap which we are getting above, we want to use the "3GPP2-Attr-61 = 0x0106000000010209a0000029275c41" value which we can convert to the device serial number.

  OK.

> In our DB we store the device serial number. The devices chap info most of them time might be tampered with or wrong.

  That's a little surprising, but OK.

> So we wanted our EXEC script to replace the chap user/pass with the new PAP user/password.

  No.  You don't want that.  I said you don't want that.  Don't do that.
 It's wrong.

> Should we be setting Cleartext-Password and the User-Password?

  No.  You should be setting Auth-Type := Accept, just like I said in my
last message.

>>  If you're going to force authentication success, why not just set
>> "Auth-Type := Accept"?  That avoids all of the mangling of passwords
>> (chap and pap)
> 
> We still want radius to run through the normal SQL process to verify that the above serial number is valid.

  So... do an SQL query to see if the serial number is valid.  There's
no need to run a script.  There's no need to play games with CHAP.
There's no need to play games with PAP.

  Write an SQL statement that returns a string if the serial number is
in the database.  If the number isn't in the database, it returns
nothing.  Then, use the SQL statement in the "authorize" section:

authorize {
	...

	if (! "%{sql:SELECT ... }") {
	  reject
	}

	update control {
		Auth-Type := Accept
	}
	...
}

  It's that easy.

  Alan DeKok.


More information about the Freeradius-Users mailing list