Chap/Pap Authentication
Alan DeKok
aland at deployingradius.com
Fri Jan 18 21:04:28 CET 2013
Joseph Showalter wrote:
> What we would like to do is this:
>
> Take this request:
>
> User-Name = "6064191111 at evdo.myawi.net"
> CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58
> NAS-IP-Address = 10.130.2.1
> CHAP-Challenge = 0x022074534be2e8405c867f676b46b432
> 3GPP2-Attr-60 = 0x00000001
> 3GPP2-Attr-61 = 0x0106000000010209a0000029275c41
That looks like a series of TLVs to me. i.e. not a password. There
seems to be a 32-bit integer, followed by a 64-bit integer.
> And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password.
I'm not sure what that means. "convert it to the password we want"?
> Here is the perl code that we run prior to the pap module:
>
>
> $retattr .= "Cleartext-Password := $meid";
> $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" ";
> $retattr .= ", Auth-Type := PAP ";
Well, that won't work.
The Cleartext-Password is the *known good* password. The PAP module
needs a User-Password, too. The User-Password is the password as
entered by the user.
If you're going to force authentication success, why not just set
"Auth-Type := Accept"? That avoids all of the mangling of passwords
(chap and pap)
Alan DeKok.
More information about the Freeradius-Users
mailing list