From RFC: 2865:
The random challenge can either be included in the CHAP-Challenge attribute or, if it is 16 octets long, it can be placed in the Request Authenticator field of the Access-Request packet. We are able to retrieve the clear text password and encrypt it with the CHAP-Challenge and see if it matches the CHAP-Password, but as far as I can tell, we don't have access to the Request Authenticator of the Access-Request packet in the perl module. Any thoughts on how to support the RFC?
Jeremy Kusnetz wrote:
We are able to retrieve the clear text password and encrypt it with the CHAP-Challenge and see if it matches the CHAP-Password, but as far as I can tell, we don't have access to the Request Authenticator of the Access-Request packet in the perl module.
Why would you want access to it in the Perl module? The "chap" module already does this.
Any thoughts on how to support the RFC?
Use the code that's already in the server? Your Perl module should supply a Cleartext-Password to the server, and the server will Just Do the Right Thing. If you're thinking of doing something else, I'd like to know why. Odds are it's overly complicated and unnecessary. Alan DeKok.
Why would you want access to it in the Perl module? The "chap" module already does this.
Use the code that's already in the server?
*> Any thoughts on how to support the RFC?
Your Perl module should supply a Cleartext-Password to the server, and the server will Just Do the Right Thing.
If you're thinking of doing something else, I'd like to know why. Odds are it's overly complicated and unnecessary.
I didn't realize that is how it works, looking at: http://wiki.freeradius.org/Rlm_perl It seems like I need to do all the authentication and set the RAD_REPLY attributes. That does work except for my problem case, but what you are saying is all I have to do is return the clear text password, and freeradius will do the rest? I'm not seeing how to just return the clear text password from the wiki docs.
Jeremy Kusnetz wrote:
It seems like I need to do all the authentication and set the RAD_REPLY attributes.
No. The module *can* be listed in the "authenticate" section, but it doesn't *have* to be listed there.
That does work except for my problem case, but what you are saying is all I have to do is return the clear text password, and freeradius will do the rest? I'm not seeing how to just return the clear text password from the wiki docs.
You don't "return" any attributes. You update the hashes, and the server figures it out. ... $RAD_CHECK{'Cleartext-Password'} = "bob"; ... Alan DeKok.
participants (2)
-
Alan DeKok -
Jeremy Kusnetz