The story of PAP, CHAP and the blank password
Wynand Meijer
wynand at brandedinternet.co.za
Wed Mar 16 12:06:42 CET 2011
Greetings all,
Instead of auth'ing a user on the 'User-Name' / 'Cleartext-Password'
method we are using the 'Caller-Station-Id' with a blank password.
...
# /etc/freeradius/sql/mysql/dialup.conf
sql_user_name = "%{Calling-Station-Id}"
...
We are using a mysql backend
Here are a few challenges that came up:
Using PAP:
* The blank password transmitted is picked up by the RADIUS as "void"
(an actual string value of 4 charaters)
* To authenticate the 'blank password' the radcheck is set to [ user123
| Cleartext-Password | := | void]
* Here are snippets of a successful connection
...
rad_recv: Access-Request packet from host x.x.x.x port 57772, id=75,
length=156
User-Name = "void"
User-Password = "void"
NAS-IP-Address = x.x.x.x
NAS-Identifier = "rbggs2"
Called-Station-Id = "apn.xxx.net"
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
NAS-Port = 230647144
Calling-Station-Id = "00121231234"
3GPP-PDP-Type = 0
3GPP-SGSN-Address = x.x.x.x
3GPP-GGSN-Address = x.x.x.x
+- entering group authorize {...}
...
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "void"
[pap] Using clear text password "void"
[pap] User authenticated successfully
++[pap] returns ok
expand: The elders of the internet have granted you access -> The
elders of the internet have granted you access
Login OK: [void/void] (from client XXX_APN port 230647144 cli
00121231234) The elders of the internet have granted you access
+- entering group post-auth {...}
...
Using CHAP:
* The blank password transmitted is picked up by the RADIUS as a challenge
* To authenticate the 'blank password' the radcheck is set to [ user123
| Cleartext-Password | := | "" ]
* Here are snippets of a successful connection
rad_recv: Access-Request packet from host x.x.x.x port 50312, id=67,
length=175
User-Name = "void"
CHAP-Challenge = 0x48e2fc18c8f16b825cc4ce7c06b4bdea
CHAP-Password = 0x012a6931a816773e44873124ecd7701e57
NAS-IP-Address = x.x.x.x
NAS-Identifier = "rbggs2"
Called-Station-Id = "apn.xxx.net"
Framed-Protocol = GPRS-PDP-Context
Service-Type = Framed-User
NAS-Port-Type = Virtual
NAS-Port = 123703984
Calling-Station-Id = "00121231234"
3GPP-PDP-Type = 0
3GPP-SGSN-Address = x.x.x.x
3GPP-GGSN-Address = x.x.x.x
+- entering group authorize {...}
...
++[logintime] returns noop
[pap] No clear-text password in the request. Not performing PAP.
++[pap] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
CHAP-Password is correct.
expand: The elders of the internet have granted you access -> The
elders of the internet have granted you access
Login OK: [void/<CHAP-Password>] (from client XXX_APN port 100795256 cli
00121231234) The elders of the internet have granted you access
+- entering group post-auth {...}
...
Is the transmission of the 'blank password' the responsibility of the
NAS or can the password be manipulated in the FR settings / configs?
Thanks
Wynand
More information about the Freeradius-Users
mailing list