MSCHAPv2 followed by a smsotp authentication

Alan DeKok aland at deployingradius.com
Sat Mar 31 23:00:07 CEST 2012


Thomas Glanzmann wrote:
> my initial thought that the state may only contain numbers, was wrong.
> Now I want to verify that the message authenticator sent by freeradius
> is correct, can you please walk me through how to do that?

  Read the code.

> I also added debugging code to freeradius so that it tells me that it
> creates the Authenticator after smsotp was called and the reply type is
> set to Access-Challenge. But it needs to be something and the Message
> Authenticator is the only thing that I can't currently verify, so I have
> the hope that freeradius does calculate it wrong for Access-Challenges
> at least when using the rlm_smsotp module. Please advice.

  FreeRADIUS calculates the correct Message-Authenticator.

> Shared secret between freeradius and client: testing123
> 
> PCAP File: http://thomas.glanzmann.de/tmp/freeradius.pcap
> 
> And I'm interested how I can verify that the Message Authentictor in the
> Access-Challenge is correct.

  You're wasting your time.

  FreeRADIUS works.  It works with 1000's of access points and switches.
 If it doesn't work with some vendors product, it's because that vendor
doesn't implement RADIUS.

  I really can't say this any other way.

> Btw. do you know of any 'radtest' client which supports
> challenge-response?

  For specific authentication methods, radclient.  For random things, no.

  Alan DeKok.


More information about the Freeradius-Users mailing list