freeradiusclient and CHAP support
Hi, I'm having an issue with the client library and was looking for some help. I'm currently using both the freeradius server and client and I was having some issues with CHAP support. I noticed in the code that the CHAP section of the client side was commented out. I'm tried uncommenting it, noticed the password length issues and checked google. I already know that CHAP isn't the best protocol to use, and I agree. Unfortunately, I still need to use it anyway. I have been looking through the source trying to figure out what the problem is the code is. Like I said, I noticed the password length error and tried simply compensating for that, but the passwords still do not match. What puzzles me is that CHAP works just fine in the radclient packaged with the server, so I feel that it should not be impossible to implement in the client library. If someone could point me in the right direction, or possibly explain the root cause of the problem in more detail, that would be much appreciated. Any help you could offer would be great. Thanks. Chris Gamio
Christopher Gamio wrote:
I'm currently using both the freeradius server and client and I was having some issues with CHAP support. I noticed in the code that the CHAP section of the client side was commented out. I'm tried uncommenting it, noticed the password length issues and checked google. I already know that CHAP isn't the best protocol to use, and I agree. Unfortunately, I still need to use it anyway. I have been looking through the source trying to figure out what the problem is the code is.
You could try fixing the code to implement the CHAP protocol correctly. The specifications are publicly available, as are multiple implementations.
Like I said, I noticed the password length error and tried simply compensating for that, but the passwords still do not match. What puzzles me is that CHAP works just fine in the radclient packaged with the server,
Because that code works, and implements the protocol correctly.
so I feel that it should not be impossible to implement in the client library. If someone could point me in the right direction, or possibly explain the root cause of the problem in more detail, that would be much appreciated.
Look at freeradius-server, src/lib/radius.c for a correct implementation of the CHAP protocol. Make the freeradius-client code use the same algorithm. Alan DeKok.
I think I may of narrowed down part of the problem. By inspecting the packets I've noticed that for some reason the NAS IP Address information is overwriting the CHAP password field. Any idea on where / why this could be happening for the CHAP password field and not the PAP? On Mon, Apr 27, 2009 at 6:02 AM, Alan DeKok <aland@deployingradius.com> wrote:
Christopher Gamio wrote:
I'm currently using both the freeradius server and client and I was having some issues with CHAP support. I noticed in the code that the CHAP section of the client side was commented out. I'm tried uncommenting it, noticed the password length issues and checked google. I already know that CHAP isn't the best protocol to use, and I agree. Unfortunately, I still need to use it anyway. I have been looking through the source trying to figure out what the problem is the code is.
You could try fixing the code to implement the CHAP protocol correctly. The specifications are publicly available, as are multiple implementations.
Like I said, I noticed the password length error and tried simply compensating for that, but the passwords still do not match. What puzzles me is that CHAP works just fine in the radclient packaged with the server,
Because that code works, and implements the protocol correctly.
so I feel that it should not be impossible to implement in the client library. If someone could point me in the right direction, or possibly explain the root cause of the problem in more detail, that would be much appreciated.
Look at freeradius-server, src/lib/radius.c for a correct implementation of the CHAP protocol. Make the freeradius-client code use the same algorithm.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Christopher Gamio wrote:
I think I may of narrowed down part of the problem. By inspecting the packets I've noticed that for some reason the NAS IP Address information is overwriting the CHAP password field. Any idea on where / why this could be happening for the CHAP password field and not the PAP?
Probably because the code wasn't tested. It *is* commented out by default, which means it doesn't work. Alan DeKok.
participants (2)
-
Alan DeKok -
Christopher Gamio