configure freeRADIUS with a CHAP "access-challenge" message
Hi, Can anyone please let me know How to configure freeRADIUS server so it replies with a CHAP "access-challenge" message on "access-request" from a client? I am new to the freeradius tool. so it will better if anyone provide the document for above request. Thanks, Arnold
Can anyone please let me know How to configure freeRADIUS server so it replies with a CHAP "access-challenge" message on "access-request" from a client?
FreeRADIUS handles CHAP fine, so there's nothing to configure for the Access-Challenge part of the exchange. Configure your user in the users file (to begin with, and then later in the user directory/source of your choice, like a database or LDAP directory) and make sure you have a password set for it. To see which password obfuscation/encryption schemes work with which authentication scheme in RADIUS (not just FreeRADIUS), see http://deployingradius.com/documents/protocols/compatibility.html :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On 22-07-15 08:27, Arul Sundaramoorthy wrote:
Hi,
Can anyone please let me know How to configure freeRADIUS server so it replies with a CHAP "access-challenge" message on "access-request" from a client?
The name CHAP is a bit misleading (at least in RADIUS context), because there is no Challenge or Handshake in the RADIUS conversation. The attribute CHAP-Password is just a hash calculated from the plaintext password and the identifier and authenticator of the packet. This is included in the Access-Request, and since there's no more need for more information the server response will be an Access-Accept or Access-Reject. That's just how CHAP works. Having said this, you might want to reconsider if you really want to use CHAP in your application. The protocol requires all passwords to be plaintext on the server and there is virtually no replay protection. Some more information: chapter 5.2.1 of http://networkradius.com/doc/FreeRADIUS-Implementation-Ch5.pdf -- Herwin Weststrate
participants (3)
-
Arul Sundaramoorthy -
Herwin Weststrate -
Stefan Paetow