How to enable Freeradius to support a smart card with AES encryption algorithm?

Alan DeKok aland at
Thu Feb 1 14:21:16 CET 2007

yao guoxian wrote:
> Hi!
>     I have a smart card emluator which suports AES, not MD5 encryption
> algorithm. Is it possible to enable Freeradius to support my smart card 
> emlulator?

  Edit the code.

>     I have an idea as follow:
>     First,amending client agent (NAS) daemon program to make it send
> chap-password which is produced with AES, not MD5.

  Don't do that.  It isn't CHAP, and you will break a lot of things.

> The usual md5
> chap-password is produced as MD5( user-packet-ID+user-secret+16 bytes
> authenticator), while the aes chap-password is produced as AES(16 bytes
> authenticator) using user-secret as key.The usual md5 chap-passwor
> attribute in an Access Request packet is as follow:
> __________________________________________________
> |  code = 3 |  Length = 19  | user-packet-ID  |  16 bytes value|
> __________________________________________________
> While the aes chap-password replaced the 16 bytes value ( MD5(
> user-packet-ID+user-secret+16 bytes authenticator)) with AES(16 bytes
> authenticator).
>     Second ,amending rlm-chap.c to alter it  to  use  AES  to  analyze 
> the  request packet.
>     Is it practical? Appreciate any suggestions.

  No, it's not practical.

  What you're missing is that none of the NASes will do the AES
calculation, so changing FreeRADIUS won't help.

  If you control the software on the NAS, just invent a new attribute,
"My-AES-Password", and use that.  That's what attributes are for.  Then,
write a new module to support that attribute.  That's what modules are for.

  Hacking existing attributes and modules is a recipe for disaster.
Don't do it.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list