Thanks, Alan.<br>But I have lots of problems.<br>First, what is difference between challenge-response and chap?In my opinion, challenge-response is a authentication mechanism and flow while chap is a method to hide and transport user' password. In challenge-response, the random challenge is produced by the radius server and has not length limited while the 16 bytes random authenticator used in chap is produced by the NAS or the client. Is that right?
<br><br>Second,suppose we have enabled the NAS(client) and Freeradius to support our specified attribute "My-Aes-Password" , how to write the new module to handle the attribute? Is it like follows:<br> 1. code a program like freeradius-parth/src/modules/rlm_example/rlm_exmple.c and name it as rlm_aes;
<br> 2. compile it and store the aes.exe file in the /bin/ directory;<br> 3. edit the radiusd.conf as follow:<br> #in the modules section<br> ...<br> exec aes{<br> wait = yes;<br>
program ="/bin/aes %My_Aes_Password "<br> input_pairs = request<br> output_pairs = reply<br> }<br> ...<br> authorize {<br> preprocess<br>
chap<br> mschap<br> suffix<br> sql<br> aes<br> }<br> ...<br> or we needn't compile the rlm_aes.c and just leave it to the Freeradius to do what need to do ?
<br><br> Third , how to enable Freeradius and Nas(client) to support our new attribute?Does it need to append the dictionary file a new entry?<br><br>regards<br>Guoxian<br><br><div><span class="gmail_quote">2007/2/1, Alan DeKok <
<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">yao guoxian wrote:
<br>> Hi!<br>> I have a smart card emluator which suports AES, not MD5 encryption<br>> algorithm. Is it possible to enable Freeradius to support my smart card<br>> emlulator?<br><br> Edit the code.<br><br>
> I have an idea as follow:<br>> First,amending client agent (NAS) daemon program to make it send<br>> chap-password which is produced with AES, not MD5.<br><br> Don't do that. It isn't CHAP, and you will break a lot of things.
<br><br>> The usual md5<br>> chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes<br>> authenticator), while the aes chap-password is produced as AES(16 bytes<br>> authenticator) using user-secret as
key.The usual md5 chap-passwor<br>> attribute in an Access Request packet is as follow:<br>> __________________________________________________<br>><br>> | code = 3 | Length = 19 | user-packet-ID | 16 bytes value|
<br>> __________________________________________________<br>> While the aes chap-password replaced the 16 bytes value ( MD5(<br>> user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes<br>> authenticator).
<br>> Second ,amending rlm-chap.c to alter it to use AES to analyze<br>> the request packet.<br>> Is it practical? Appreciate any suggestions.<br><br> No, it's not practical.<br><br> What you're missing is that none of the NASes will do the AES
<br>calculation, so changing FreeRADIUS won't help.<br><br> If you control the software on the NAS, just invent a new attribute,<br>"My-AES-Password", and use that. That's what attributes are for. Then,
<br>write a new module to support that attribute. That's what modules are for.<br><br> Hacking existing attributes and modules is a recipe for disaster.<br>Don't do it.<br><br> Alan DeKok.<br>--<br> <a href="http://deployingradius.com">
http://deployingradius.com</a> - The web site of the book<br> <a href="http://deployingradius.com/blog/">http://deployingradius.com/blog/</a> - The blog<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">
http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>