yao guoxian wrote:
Hi! I have a smart card emluator which suports AES, not MD5 encryption algorithm. Is it possible to enable Freeradius to support my smart card emlulator?
Edit the code.
I have an idea as follow: First,amending client agent (NAS) daemon program to make it send chap-password which is produced with AES, not MD5.
Don't do that. It isn't CHAP, and you will break a lot of things.
The usual md5 chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes authenticator), while the aes chap-password is produced as AES(16 bytes authenticator) using user-secret as key.The usual md5 chap-passwor attribute in an Access Request packet is as follow: __________________________________________________
| code = 3 | Length = 19 | user-packet-ID | 16 bytes value| __________________________________________________ While the aes chap-password replaced the 16 bytes value ( MD5( user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes authenticator). Second ,amending rlm-chap.c to alter it to use AES to analyze the request packet. Is it practical? Appreciate any suggestions.
No, it's not practical. What you're missing is that none of the NASes will do the AES calculation, so changing FreeRADIUS won't help. If you control the software on the NAS, just invent a new attribute, "My-AES-Password", and use that. That's what attributes are for. Then, write a new module to support that attribute. That's what modules are for. Hacking existing attributes and modules is a recipe for disaster. Don't do it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog