Exercising Challenge/Response code path in pam client?

Alan DeKok aland at deployingradius.com
Fri Sep 23 19:57:51 CEST 2016


On Sep 23, 2016, at 1:15 PM, Richard Perrin <rcp at sentientmeat.ca> wrote:
> Any pointers on how to do the unlang challenge-response?

  You need to manage the State attribute, and the challenge-response.

> I've build and run 3.0.11, and have successful authentication
> happening with the following minimalistic config file in
> sites-enabled:
> 
> server port18121 {
>        listen {
>                ipaddr = *
>                port = 18121
>                type = auth
>        }
>        authorize {
>                update control {
>                        Cleartext-Password := "radiuspass"
>                }
>                pap
>        }
>        authenticate {
>                pap
>        }
> }
> 
> Not sure what's simplest to replace pap with in order to generate the
> challenges.

  You need to do EVERYTHING to manage the challenge yourself.  You need to understand how challenge-response works in RADIUS.

authorize {
	if (!State) {
		update reply {
			Reply-Message := "this is the challenge"
		}
		update control {
			Cleartext-Password := "response"
		}
	
		challenge
	}
	else {
		if (&User-Password != &session-state:Cleartext-Password) {
			reject
		}
		accept
	}
}

  Of course, this presumes that the NAS understands challenge-response.  Which it might not.

  To be honest, there's pretty much no reason to invent your own challenge-response mechanism.  Using an existing one is much preferred.

  Alan DeKok.




More information about the Freeradius-Users mailing list