2 way chap

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Christian Roy: "Radius Accounting Logs"
• Previous message: Sverre Hjelm: "Re: PM2/ComOS3.5 routing to small subnets? (/28 and /29)"

I have a tech'ish question I hope some of you could answer. Basic: does
the portmaster family (PM3 specifically) support 2-way chap, and in case:
how?

To outline this a bit:
We have a PM3, and some cisco's which we use for ISDN access. When we
first set up the cisco to use radius, we discovered that radius doesn't
support 2-way chap. As a sollution, we had to set up a tacacs+ server
using the radius users file. However, since tacacs+ is cisco's own
protocol, and definitely not supported by livingston, I wonder how
livingston solve this problem. It could be offcourse that I've
misunderstood this stuff, so I'll explain how I think this works, and
hopefully you'll correct me :)

Scenario:
Our customer, C, establishes a connection. Our portmaster/router/whatever
sends a CHAP-CHALLENGE packet including a random value and the hostname of
our NAS. C either looks up the password from a table based on the hostname,
or uses a standard password. The password and random value is crypted using
a one-way function (md5). Then, C sends the crypted result
back to the NAS in a CHAP-RESPONSE packet. The NAS wrappes this into a
radius packet, using the CHAP-PASSWORD and AUTHENTICATOR fields.
The radius server computes the hash itself based on the password found
in the users file, and the random value found in the AUTHENTICATOR field.
The hash must match the one supplied in the CHAP-PASSWORD field.

But now, C wants to authenticate the NAS. It sends a CHAP-CHALLENGE
packet to the nas, containg it's username and a random
value. The NAS has to look up the password somewhere, and here the
problem begins. Since the radius only supports ack/nak, there's no way
the NAS gets the password, and as a result, the NAS can't compute the
crypted hash and return it to C. Line is dropped by C because the NAS isn't
able to authenticate itself.

Now, unless I'm mistaking, there is no support for 2-way chap in the radius
protocol. It could very well have been though. A new pair of attributes
could enable the NAS to send the username and random number to the radius
server, having the server do the hash crypt based on the password found
in the users file, returning the hash to the NAS, which again
sends the hash in a CHAP-RESPONSE packet to C. C happy as a clam :)

Am I mistaking. Is this suported in radius. Will it be supported in
the future, or is there some other way this 2-way chap thing is solved?
Comments, please.

Sverre Hjelm, EUnet Norway

• Next message: Christian Roy: "Radius Accounting Logs"
• Previous message: Sverre Hjelm: "Re: PM2/ComOS3.5 routing to small subnets? (/28 and /29)"