How to enable Freeradius to support a smart card with AES encryption algorithm?

yao guoxian yaoguoxian at
Thu Feb 1 13:50:19 CET 2007

    I have a smart card emluator which suports AES, not MD5 encryption
algorithm. Is it possible to enable Freeradius to support my smart card
    I have an idea as follow:
    First,amending client agent (NAS) daemon program to make it send
chap-password which is produced with AES, not MD5. The usual md5
chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes
authenticator), while the aes chap-password is produced as AES(16 bytes
authenticator) using user-secret as key.The usual md5 chap-passwor attribute
in an Access Request packet is as follow:

|  code = 3 |  Length = 19  | user-packet-ID  |  16 bytes value|
While the aes chap-password replaced the 16 bytes value ( MD5(
user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes
    Second ,amending rlm-chap.c to alter it  to  use  AES  to  analyze  the
request packet.
    Is it practical? Appreciate any suggestions.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list