Hi *, I have a RADIUS client requesting an authorization and I would like to know which protocol this client is using. When running freeradius with -X I get the following output: ... modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 217 users: Matched entry 00139D0009CD at line 220 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password ... I assume "local" refers to the "users" file. But is there a way to see the actual authorization protocol used between client and server? Thanks a lot in advance for any help!
Christoph Schmidt wrote:
I have a RADIUS client requesting an authorization and I would like to know which protocol this client is using.
Look in the packet. It says this. User-Password -> PAP CHAP-Pasword -> CHAP MS-CHAP-* -> MSCHAP EAP-* -> EAP It's really that easy. Alan DeKok.
Thanks for the answer. Wireshark tells me AVP: l=18 t=User-Password(2): Encrypted According to your list it should be PAP, but PAP does not encrypt the passwords. Looking in the byte stream, I cannot find the configured password. So I have doubts that it's really PAP. Christoph On Fri, 2009-09-11 at 11:25 +0200, Alan DeKok wrote:
Christoph Schmidt wrote:
I have a RADIUS client requesting an authorization and I would like to know which protocol this client is using.
Look in the packet. It says this.
User-Password -> PAP CHAP-Pasword -> CHAP MS-CHAP-* -> MSCHAP EAP-* -> EAP
It's really that easy.
Alan DeKok.
Christoph Schmidt wrote:
Thanks for the answer.
Wireshark tells me
Ah... so you're not interested in the answer. You're interested in arguing about it.
AVP: l=18 t=User-Password(2): Encrypted
According to your list it should be PAP, but PAP does not encrypt the passwords. Looking in the byte stream, I cannot find the configured password. So I have doubts that it's really PAP.
You ask some of the leading RADIUS experts a question, and when you get an answer, you tell them they're wrong. Why? You aren't a RADIUS expert. You haven't read the RFC's. You don't understand why the password is encrypted. Rather than believe someone who does understand RADIUS, you come to a false conclusion based on a lack of knowledge, and on an intentional disregard of the truth. Why are you wasting your time and mine? Alan DeKok.
Hi,
Thanks for the answer.
Wireshark tells me
AVP: l=18 t=User-Password(2): Encrypted
According to your list it should be PAP, but PAP does not encrypt the passwords. Looking in the byte stream, I cannot find the configured password. So I have doubts that it's really PAP.
huh? PAP is plain text authentication - sure. but RADIUS uses shared secrets between the NAS and the server - and the password is one of the entities that will get a little bit of help witht his. read a basic RADIUS book or the set of RFCs and it will tell you this. however, this is not strong encryption...and methods that use challenge response (eg MSCHAP) are recommended if you have worries about passwords whizzing across the network. alan
Thanks a lot !!! On Mon, 2009-09-14 at 10:10 +0100, Alan Buxey wrote:
Hi,
huh? PAP is plain text authentication - sure. but RADIUS uses shared secrets between the NAS and the server - and the password is one of the entities that will get a little bit of help witht his.
read a basic RADIUS book or the set of RFCs and it will tell you this.
however, this is not strong encryption...and methods that use challenge response (eg MSCHAP) are recommended if you have worries about passwords whizzing across the network.
alan
participants (3)
-
Alan Buxey -
Alan DeKok -
Christoph Schmidt