[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] RADIUS Access-Challenge packets (PHP)
From: |
Sergey Poznyakoff |
Subject: |
Re: [Help-gnu-radius] RADIUS Access-Challenge packets (PHP) |
Date: |
Tue, 13 Sep 2005 11:31:30 +0300 |
Dwight Mowbray <address@hidden> wrote:
> server needs to include an additional parameter. The RFC document for
> RADIUS specifies that the packet must have attached:
>
> State = {Magic Cookie from Access-Challenge packet, unchanged}
I assume your php scripts form a client implementation, don't they?
If so, here is what RFC 2865 says about client implementations (page 5):
If the client receives an Access-Challenge and supports
challenge/response it MAY display the text message, if any, to the
user, and then prompt the user for a response. The client then re-
submits its original Access-Request with a new request ID, with
the User-Password Attribute replaced by the response (encrypted),
and including the State Attribute from the Access-Challenge, if
any. Only 0 or 1 instances of the State Attribute SHOULD be
present in a request. The server can respond to this new Access-
Request with either an Access-Accept, an Access-Reject, or another
Access-Challenge.
You seem to refer to chapter 7.3 of the RFC 2865, entitled "User with
Challenge-Response card". In this particular example, the State
attribute sent by server contains the challenge value in ASCII. The
example says:
The Reply-Message is "Challenge 32769430. Enter response at prompt."
The State is a magic cookie to be returned along with user's
response; in this example 8 octets of data (33 32 37 36 39 34
33 30 in hex).
These eight octects represent the string "32769430". Notice, that it is
only an example.
> I understand what the RADIUS server needs, but I'm not 100% sure
> exactly how to:
>
> a) get the state data to send back
The exact behavior of a client is described by the above quotation and,
basically, boils down to the following: "If the challenge contains State
attribute, include it in the response verbatim, if it doesn't don't add
your own".
> b) append this data to the packet
Extract the State attribute from the incoming response and add it to the
packet being formed, the same way you add User-Name attribute. Assuming
the extracted attribute value is stored in variable '$state':
if ($state) {
$data=pack("CCCCa*CCCCCCCCa*CCa*CCCCCCCCCCCC",
1,$thisidentifier,$length/256,$length%256, // header
$RA, // authcode
6,6,0,0,0,1, // service type
1,2+strlen($username),$username, // username
2,2+strlen($encryptedpassword),$encryptedpassword, // userpassword
4,6,$nasIP[0],$nasIP[1],$nasIP[2],$nasIP[3], // nasIP
24,2+strlen($state),$state, // State
5,3,0,0,0,0 // nasPort
);
} else
// Original code from your letter.
(untested example)
> I have tried using the RADIUS module for PHP but it appears to be a
> little obscure and different to how we have already implemented the
> current version.
Unfortunately the documentation for the module is scarce as of version
1.3. If you have any questions please feel free to ask.
Regards,
Sergey