Chap/Pap Authentication

Alan DeKok aland at
Fri Jan 18 21:04:28 CET 2013

Joseph Showalter wrote:
> What we would like to do is this:
> Take this request:
> 	User-Name = "6064191111 at"
> 	CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58
> 	NAS-IP-Address =
> 	CHAP-Challenge = 0x022074534be2e8405c867f676b46b432
> 	3GPP2-Attr-60 = 0x00000001
> 	3GPP2-Attr-61 = 0x0106000000010209a0000029275c41

  That looks like a series of TLVs to me.  i.e. not a password.  There
seems to be a 32-bit integer, followed by a 64-bit integer.

> And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password.

  I'm not sure what that means.  "convert it to the password we want"?

> Here is the perl code that we run prior to the pap module:
>  $retattr .= "Cleartext-Password := $meid";
>  $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" ";
>  $retattr .= ", Auth-Type := PAP ";

  Well, that won't work.

  The Cleartext-Password is the *known good* password.  The PAP module
needs a User-Password, too.  The User-Password is the password as
entered by the user.

  If you're going to force authentication success, why not just set
"Auth-Type := Accept"?  That avoids all of the mangling of passwords
(chap and pap)

  Alan DeKok.

More information about the Freeradius-Users mailing list