Chap/Pap Authentication

Joseph Showalter Tech at ekn.com
Fri Jan 18 21:26:33 CET 2013


Thanks so much for taking a look...

See comments below:

On Jan 18, 2013, at 3:04 PM, Alan DeKok <aland at deployingradius.com>
 wrote:

> Joseph  wrote:
>> What we would like to do is this:
>> 
>> Take this request:
>> 
>> 	User-Name = "6064191111 at evdo.myawi.net"
>> 	CHAP-Password = 0x59db2896a9629a7a1296e8e3dc7751da58
>> 	NAS-IP-Address = 10.130.2.1
>> 	CHAP-Challenge = 0x022074534be2e8405c867f676b46b432
>> 	3GPP2-Attr-60 = 0x00000001
>> 	3GPP2-Attr-61 = 0x0106000000010209a0000029275c41
> 
>  That looks like a series of TLVs to me.  i.e. not a password.  There
> seems to be a 32-bit integer, followed by a 64-bit integer.
> 
>> And instead of using chap to authenticate the user, we take the 3GPP2-Attr-61, convert it to the password we want, set it into the cleartext-password, and have the sql module query the DB for that new password.
> 
>  I'm not sure what that means.  "convert it to the password we want"?

Instead of using Chap which we are getting above, we want to use the "3GPP2-Attr-61 = 0x0106000000010209a0000029275c41" value which we can convert to the device serial number.

In our DB we store the device serial number. The devices chap info most of them time might be tampered with or wrong.

So we wanted our EXEC script to replace the chap user/pass with the new PAP user/password.

> 
>> Here is the perl code that we run prior to the pap module:
>> 
>> 
>> $retattr .= "Cleartext-Password := $meid";
>> $retattr .= ", CHAP-Password :=\"\" , CHAP-Challenge :=\"\" ";
>> $retattr .= ", Auth-Type := PAP ";
> 
>  Well, that won't work.
> 
>  The Cleartext-Password is the *known good* password.  The PAP module
> needs a User-Password, too.  The User-Password is the password as
> entered by the user.
> 

Should we be setting Cleartext-Password and the User-Password?

>  If you're going to force authentication success, why not just set
> "Auth-Type := Accept"?  That avoids all of the mangling of passwords
> (chap and pap)

We still want radius to run through the normal SQL process to verify that the above serial number is valid.


> 
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--regards, Joseph


More information about the Freeradius-Users mailing list