CHAP Challenge

Alan DeKok aland at deployingradius.com
Tue Apr 17 17:45:27 CEST 2012


GT4NE1 wrote:
> My apologies.  This was my poor attempt at providing enough
> information, but not having to censor the output as much.  Here is a
> fully debug for a few attempts with unique information censored out.
> I appreciate the response.

  The client is broken.  There is no other choice.

  The correct CHAP-Password is 0x006368d912a3c73c9b19b9d830529bfec5.

  *However*, if I truncate the CHAP-Challenge to 48 bytes:

0x7edf2cf58afb187156d7c4ade27330a92ecf5c653aeb48e106c7f41d92636019debf8cd5eadb7851b6b7248d42539089

  Then FreeRADIUS calculates the CHAP-Password you have in the packet,
and authenticates the user.

  Go back to whoever sold you the modem, and tell them that their
product is broken.  Tell them to fix their product.  It's OK to truncate
the CHAP-Challenge at 48 bytes.  But if they do so, they MUST send a
48-byte CHAP-Challenge.  Sending a LONGER one is stupid and wrong.

  If they argue, point out the above analysis.  Get them to try it for
themselves.  If they still argue, point out all of the RADIUS RFCs with
my name on them.  Give them my contact information.

  Their product doesn't work, and cannot possibly work.  The tests that
the Juniper guys did were likely with CHAP-Challenges of 48 bytes or
less.  I doubt very much that SBR is so broken as to also truncate
challenges at 48 bytes.

  Alan DeKok.


More information about the Freeradius-Users mailing list