help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] RADIUS Access-Challenge packets (PHP)

From: Sergey Poznyakoff
Subject: Re: [Help-gnu-radius] RADIUS Access-Challenge packets (PHP)
Date: Tue, 13 Sep 2005 11:31:30 +0300 
Dwight Mowbray <address@hidden> wrote:

> server needs to include an additional parameter. The RFC document for
> RADIUS specifies that the packet must have attached:
> 
> State =     {Magic Cookie from Access-Challenge packet, unchanged}

I assume your php scripts form a client implementation, don't they?
If so, here is what RFC 2865 says about client implementations (page 5):

   If the client receives an Access-Challenge and supports
   challenge/response it MAY display the text message, if any, to the
   user, and then prompt the user for a response.  The client then re-
   submits its original Access-Request with a new request ID, with
   the User-Password Attribute replaced by the response (encrypted),
   and including the State Attribute from the Access-Challenge, if
   any. Only 0 or 1 instances of the State Attribute SHOULD be
   present in a request.  The server can respond to this new Access-
   Request with either an Access-Accept, an Access-Reject, or another
   Access-Challenge.

You seem to refer to chapter 7.3 of the RFC 2865, entitled "User with
Challenge-Response card". In this particular example, the State
attribute sent by server contains the challenge value in ASCII. The
example says:

   The Reply-Message is "Challenge 32769430.  Enter response at prompt."
   
   The State is a magic cookie to be returned along with user's
   response; in this example 8 octets of data (33 32 37 36 39 34
   33 30 in hex).

These eight octects represent the string "32769430". Notice, that it is
only an example.

> I understand what the RADIUS server needs, but I'm not 100% sure
> exactly how to:
> 
> a) get the state data to send back

The exact behavior of a client is described by the above quotation and,
basically, boils down to the following: "If the challenge contains State
attribute, include it in the response verbatim, if it doesn't don't add
your own".

> b) append this data to the packet

Extract the State attribute from the incoming response and add it to the
packet being formed, the same way you add User-Name attribute. Assuming
the extracted attribute value is stored in variable '$state':

   if ($state) {
     $data=pack("CCCCa*CCCCCCCCa*CCa*CCCCCCCCCCCC",
      1,$thisidentifier,$length/256,$length%256,      // header
      $RA,                                            // authcode
      6,6,0,0,0,1,                                    // service type
      1,2+strlen($username),$username,                // username
      2,2+strlen($encryptedpassword),$encryptedpassword,    // userpassword
      4,6,$nasIP[0],$nasIP[1],$nasIP[2],$nasIP[3],    // nasIP
      24,2+strlen($state),$state,                     // State
      5,3,0,0,0,0                                     // nasPort
     );
  } else
     // Original code from your letter.

(untested example)     

> I have tried using the RADIUS module for PHP but it appears to be a
> little obscure and different to how we have already implemented the
> current version.

Unfortunately the documentation for the module is scarce as of version
1.3. If you have any questions please feel free to ask.

Regards,
Sergey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]