Exercising Challenge/Response code path in pam client?
Alan DeKok
aland at deployingradius.com
Fri Sep 23 19:57:51 CEST 2016
On Sep 23, 2016, at 1:15 PM, Richard Perrin <rcp at sentientmeat.ca> wrote:
> Any pointers on how to do the unlang challenge-response?
You need to manage the State attribute, and the challenge-response.
> I've build and run 3.0.11, and have successful authentication
> happening with the following minimalistic config file in
> sites-enabled:
>
> server port18121 {
> listen {
> ipaddr = *
> port = 18121
> type = auth
> }
> authorize {
> update control {
> Cleartext-Password := "radiuspass"
> }
> pap
> }
> authenticate {
> pap
> }
> }
>
> Not sure what's simplest to replace pap with in order to generate the
> challenges.
You need to do EVERYTHING to manage the challenge yourself. You need to understand how challenge-response works in RADIUS.
authorize {
if (!State) {
update reply {
Reply-Message := "this is the challenge"
}
update control {
Cleartext-Password := "response"
}
challenge
}
else {
if (&User-Password != &session-state:Cleartext-Password) {
reject
}
accept
}
}
Of course, this presumes that the NAS understands challenge-response. Which it might not.
To be honest, there's pretty much no reason to invent your own challenge-response mechanism. Using an existing one is much preferred.
Alan DeKok.
More information about the Freeradius-Users
mailing list