The story of PAP, CHAP and the blank password
Greetings all, Instead of auth'ing a user on the 'User-Name' / 'Cleartext-Password' method we are using the 'Caller-Station-Id' with a blank password. ... # /etc/freeradius/sql/mysql/dialup.conf sql_user_name = "%{Calling-Station-Id}" ... We are using a mysql backend Here are a few challenges that came up: Using PAP: * The blank password transmitted is picked up by the RADIUS as "void" (an actual string value of 4 charaters) * To authenticate the 'blank password' the radcheck is set to [ user123 | Cleartext-Password | := | void] * Here are snippets of a successful connection ... rad_recv: Access-Request packet from host x.x.x.x port 57772, id=75, length=156 User-Name = "void" User-Password = "void" NAS-IP-Address = x.x.x.x NAS-Identifier = "rbggs2" Called-Station-Id = "apn.xxx.net" Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 230647144 Calling-Station-Id = "00121231234" 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x +- entering group authorize {...} ... ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "void" [pap] Using clear text password "void" [pap] User authenticated successfully ++[pap] returns ok expand: The elders of the internet have granted you access -> The elders of the internet have granted you access Login OK: [void/void] (from client XXX_APN port 230647144 cli 00121231234) The elders of the internet have granted you access +- entering group post-auth {...} ... Using CHAP: * The blank password transmitted is picked up by the RADIUS as a challenge * To authenticate the 'blank password' the radcheck is set to [ user123 | Cleartext-Password | := | "" ] * Here are snippets of a successful connection rad_recv: Access-Request packet from host x.x.x.x port 50312, id=67, length=175 User-Name = "void" CHAP-Challenge = 0x48e2fc18c8f16b825cc4ce7c06b4bdea CHAP-Password = 0x012a6931a816773e44873124ecd7701e57 NAS-IP-Address = x.x.x.x NAS-Identifier = "rbggs2" Called-Station-Id = "apn.xxx.net" Framed-Protocol = GPRS-PDP-Context Service-Type = Framed-User NAS-Port-Type = Virtual NAS-Port = 123703984 Calling-Station-Id = "00121231234" 3GPP-PDP-Type = 0 3GPP-SGSN-Address = x.x.x.x 3GPP-GGSN-Address = x.x.x.x +- entering group authorize {...} ... ++[logintime] returns noop [pap] No clear-text password in the request. Not performing PAP. ++[pap] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. CHAP-Password is correct. expand: The elders of the internet have granted you access -> The elders of the internet have granted you access Login OK: [void/<CHAP-Password>] (from client XXX_APN port 100795256 cli 00121231234) The elders of the internet have granted you access +- entering group post-auth {...} ... Is the transmission of the 'blank password' the responsibility of the NAS or can the password be manipulated in the FR settings / configs? Thanks Wynand
Hi,
WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead.
i'd follow that advice. FR knows what to do when it sees suitable things. anyway, the 'void' is being sent by the NAS - and its being sent CHAP'd too can your kit not do the usual naff thing of sending the CSI as the password so you just have a simple pair 00121231234:00121231234 ? thats whats usually done in these sorts of 'just let them on' environments alan
Thanks for the feedback, We have made contact with the NAS 'provider' and requested they resolve the issue by replacing the string "void" with nothing. As the passed string is the 'cause' of the problem we would rather them fix it than we try and hack around it. If these errors keep persisting we will look into a solution as you suggested like 00121231234:00121231234 or 00121231234:1111 Thanks Wynand On 16/03/2011 13:12, Alan Buxey wrote:
Hi,
WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. i'd follow that advice. FR knows what to do when it sees suitable things.
anyway, the 'void' is being sent by the NAS - and its being sent CHAP'd too can your kit not do the usual naff thing of sending the CSI as the password so you just have a simple pair
00121231234:00121231234
? thats whats usually done in these sorts of 'just let them on' environments
alan
Hi, Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server. Can any one help me how to do it? Regards, Neo
On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote:
Hi,
Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server.
Can any one help me how to do it?
Regards, Neo
I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat. Cheers, Ken
In Wed, Mar 16, 2011 at 10:21 AM, Kenneth Marshall <ktm@rice.edu> wrote:
On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote:
Hi,
Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server.
Can any one help me how to do it?
Regards, Neo
I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat.
Here's one that I did for WiKID one-time password system. I bet that the first half on openldap and freeradius would be exactly the same: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-t... HTH, Nick
Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
Thanks Nick, will have a look . Ken if you crack it please share the doc. Cheers, Neo On Thu, Mar 17, 2011 at 12:45 AM, Nick Owen <nowen@wikidsystems.com> wrote:
In Wed, Mar 16, 2011 at 10:21 AM, Kenneth Marshall <ktm@rice.edu> wrote:
On Wed, Mar 16, 2011 at 06:19:08PM +0530, pradyumna dash wrote:
Hi,
Need a doc/pointer on FreeRadius+OpenLDAP+Mobile-OTP configuration, I would be implementing this in a SuSE server.
Can any one help me how to do it?
Regards, Neo
I thought there was a link to a how-to for this on the mobile-otp website. I am getting ready to do it here as well with Redhat.
Here's one that I did for WiKID one-time password system. I bet that the first half on openldap and freeradius would be exactly the same:
http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-t...
HTH,
Nick
Cheers, Ken - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Alan Buxey -
Kenneth Marshall -
Nick Owen -
pradyumna dash -
Wynand Meijer