Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) CHAP authentication - I hate to ask, but...



At 11:51 AM 6/23/97 -0400, Troy Settle wrote:
>Hey all, I really hate asking this, but I've gotten nowhere with it.  I've
>read the FAQ to no avail, and tried locating the archives, but they appear
>to have been removed or renamed.
>
>Anyways, according to http://www.ascend.com/service/technotes/chap_rad.html,
> it's possible to get chap working while using the UNIX passwd to
>authenticate users.  However, the technote doesn't explain how to set it
>up.

Actually that tech note is trying to tell you why you *CAN'T* use CHAP and
RADIUS/UNIX combination. Apparently it is confusing?

>I can create a profile on my 4k, and get chap working, but not with
>radius.

It is *NOT POSSIBLE* to use CHAP/RADIUS/UNIX on *any* box.

See the attached - which I think the tech note was based on:
> > RFC 1334                   PPP Authentication               October 1992
 > > 
 > > 
 > >       Implementation Note: CHAP requires that the secret be available in
 > >       plaintext form.  To avoid sending the secret over other links in
 > >       the network, it is recommended that the challenge and response
 > >       values be examined at a central server, rather than each network
 > >       access server.  Otherwise, the secret SHOULD be sent to such
 > >       servers in a reversably encrypted form.
 > > 
 > This seems to imply that the Ascend (as I suspect the Livingston does) 
 > could use the Ascend-Secret to encrypt the clear text password, or even 
 > send the clear text password if you choose to have it do so.  


Ascend-secret is an Ascend extension to RADIUS.  It is used only in
communications between NAS and RADIUS.  People are forgetting who is
communicating whith whom.  A picture might help:


   +--------+                 +-----+          +--------+
   | remote |_________________| NAS |__________| RADIUS |
   |  unit  |                 |     |          | SERVER |
   +--------+                 +-----+          +--------+

It makes no difference if the NAS is Ascend, Livingston, Cisco, USR, etc.
Notes:

 1) The remote unit shares a secret with the RADIUS server.  This secret
    is NOT known by the NAS. I'll call this the remote/radius secret.

 2) The NAS shares a secret with the RADIUS server.  This secret is not
    known by the remote unit.  I'll call this the nas/radius secret.

Them is the rules.  You can change them, but it is a new protocol, not
CHAP, not PAP, not RADIUS.  Given these rules:

PAP Authentication:

 * remote unit sends secret IN THE CLEAR to the NAS
 * NAS encrypts remote/radius secret using nas/radius secret
 * RADIUS decrypts remote/radius secret using nas/radius secret
 * The RADIUS server now has a clear copy of the remote/radius secret
   which it could pass on to the UNIX (or any other) password validation
   system.

CHAP Authentication:

 * NAS sends random (in Ascend's case 128 bit) challenge to remote unit.
 * remote unit calculates an MD5 digest using the remote/radius secret
   and the challenge (and the PPP packet id).  The MD5 digest is sent
   to the NAS.  The DIGEST is sent to the NAS, not the remote/radius
   secret.  The NAS never has the secret, so it can't pass it on to RADIUS.
 * NAS forwards the digest, along with the original challenge (and PPP
   packet ID) to RADIUS.  No encryption necessary as a snooper can not
   calculate the remote/radius secret even when given all the above info.
   That is the point of using MD5 -- it is a one way transform.  You can
   not (they say) decode what has been coded.
 * RADIUS also can NOT extract the remote/radius secret.  Since the
   secret can not be extracted, there is nothing to give to the unix
   password system.  CHAP and UNIX authentication can not work.
   What RADIUS can do is:
   - look up the remote/radius secret assigned to the remote unit from a
     local database.
   - calculate an MD5 digest using the local version of the remote/radius
     secret plus the challenge (and PPP packet id) received from the NAS.
   - Compare the calculated MD5 digest with the digest received from the
     NAS.
   If the digests are the same then the secrets that went into MD5 on
   both the remote unit and the RADIUS server are the same, so the user
   is authenticated.

That is how CHAP works on ALL RADIUS servers.

// marc


Kevin

References: