ms-chap authentication with client tool?
hi, is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? if so, please give the packet contents for radius client and the users file check-items. --DilipSimha
DilipSimha.N.M wrote:
hi,
is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? if so, please give the packet contents for radius client and the users file check-items.
1. run FreeRadius in debugging mode 2. perform a successful MS-CHAP authentication with a "real" client 3. copy the following info from the FreeRadius debugging output: User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES 4. with that info, create a file containing a radius request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES Calling-Station-Id = "something" NAS-IP-Address = 192.168.1.2 NAS-Port = 1 5. run the command "radclient -s -f $FILE $HOST auth $SECRET" The radius server will authenticate that request every time. Since the challenge from a real NAS is essentially random there is only a low (but not zero) risk in having the info in a file. You may need to edit your users file to disable things such as IP address pool assignment or such, but it will basically work fine. Such editing is dependent on your local configuration.
You could try using the windows program NTRadPing from http://www.dialways.com/download/. It has a "CHAP" checkbox. HTH, Patrick On 1/31/06, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
DilipSimha.N.M wrote:
hi,
is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication?? if so, please give the packet contents for radius client and the users file check-items.
1. run FreeRadius in debugging mode
2. perform a successful MS-CHAP authentication with a "real" client
3. copy the following info from the FreeRadius debugging output: User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES
4. with that info, create a file containing a radius request: Service-Type = Framed-User Framed-Protocol = PPP User-Name = "user" MS-CHAP-Challenge = 0xBYTES MS-CHAP2-Response = 0xBYTES Calling-Station-Id = "something" NAS-IP-Address = 192.168.1.2 NAS-Port = 1
5. run the command "radclient -s -f $FILE $HOST auth $SECRET"
The radius server will authenticate that request every time. Since the challenge from a real NAS is essentially random there is only a low (but not zero) risk in having the info in a file.
You may need to edit your users file to disable things such as IP address pool assignment or such, but it will basically work fine. Such editing is dependent on your local configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patrick Bartkus wrote:
You could try using the windows program NTRadPing from http://www.dialways.com/download/. It has a "CHAP" checkbox.
CHAP and MS-CHAP are quite different. josh.
"DilipSimha.N.M" <nmdsimha@gmail.com> wrote:
is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication??
radclient should really be updated to support MS-CHAP. It's not hard. And it would be easier to do that than to write another client.
if so, please give the packet contents for radius client and the users file check-items.
src/tests/mschapv1 Alan DeKok.
comments INLINE.... Alan DeKok wrote:
"DilipSimha.N.M" <nmdsimha@gmail.com> wrote:
is there any simple tool(other than jradius) which can be used as radius client and which can be used to test mschap authentication??
radclient should really be updated to support MS-CHAP. It's not hard. And it would be easier to do that than to write another client.
if so, please give the packet contents for radius client and the users file check-items.
src/tests/mschapv1
as u have specified in src/tests/README , that lines with #U shud go into users file. but in src/tests/mschapv1 u have given User-Password in clear text??? mschap has the advantage over chap, that it doesn't store passwords in clear-text in the users file. am i right????
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"DilipSimha.N.M" <nmdsimha@gmail.com> wrote:
as u have specified in src/tests/README , that lines with #U shud go into users file. but in src/tests/mschapv1 u have given User-Password in clear text???
Yes, so?
mschap has the advantage over chap, that it doesn't store passwords in clear-text in the users file. am i right????
No. Alan DeKok.
participants (5)
-
Alan DeKok -
DilipSimha.N.M -
Josh Howlett -
Patrick Bartkus -
Phil Mayers