Which octets are "PAP ID" and "CHAP ID"

Which octets are "PAP ID" and "CHAP ID"

Post by jean-luc.sir » Fri, 25 Sep 1998 04:00:00



Hello Mr ... or*... (the problem is that i don't know ...)

I'm reading the RFC 2138  (Radius), and on the paragraph 2.2, I have a
little problem :

the datagram with PAP is :
C0 . 23 . "code" . "ID" . "length" . "ID length" . "peer-ID" . "passwd
length" . "password"

and with CHAP is :
C2 . 23 . "code" . "ID" . "length" . "value size" . "value" . "name..."

And i'm reading that with PAP, the NAS use in the Access-Request packet,
the PAP ID as the User-Name attribute.

Question 1 ===> considering the PAP packet format above, what is the PAP
ID ?
                           (the ID general ? or the peer-ID ?)

After, the text says that with CHAP the user returns a packet "response"
with 3 informations : CHAP response, CHAP ID & CHAP username.
And after that, the NAS generates an Access-Request with :
    .CHAP username                        as the User-Name attribute
    .CHAP ID+CHAP response       as  the CHAP-Password

Question 2 =====> In the CHAP packet format, wher are placed all the
informations :
                                CHAP username, CHAP ID and CHAP
response  ?

Thank you very much
Merci beaucoup
Muchas gracias

Jean-Luc

 
 
 

Which octets are "PAP ID" and "CHAP ID"

Post by James Carlso » Fri, 25 Sep 1998 04:00:00



> the datagram with PAP is :
> C0 . 23 . "code" . "ID" . "length" . "ID length" . "peer-ID" . "passwd
> length" . "password"

> and with CHAP is :
> C2 . 23 . "code" . "ID" . "length" . "value size" . "value" . "name..."

> And i'm reading that with PAP, the NAS use in the Access-Request packet,
> the PAP ID as the User-Name attribute.

> Question 1 ===> considering the PAP packet format above, what is the PAP
> ID ?
>                            (the ID general ? or the peer-ID ?)

That would be the "peer-ID."  PPP implementations that have user
interfaces (many do not) present "peer-ID" as "user name."  That's the
convention that RADIUS is referring to here.  (The "ID" field is just
the general PPP NCP ID field.  It's a 16 bit number and should be
unique for each PAP Authenticate-Request.  It has no other identifying
properties, though.)

Quote:> After, the text says that with CHAP the user returns a packet "response"
> with 3 informations : CHAP response, CHAP ID & CHAP username.

First, the NAS generates a CHAP Challenge value and transmits this to
the peer.  The peer "user" returns a CHAP Response value along with
his peer-ID (again, the "user name" by convention).

Quote:> And after that, the NAS generates an Access-Request with :
>     .CHAP username                        as the User-Name attribute
>     .CHAP ID+CHAP response       as  the CHAP-Password

> Question 2 =====> In the CHAP packet format, wher are placed all the
> informations :
>                                 CHAP username, CHAP ID and CHAP
> response  ?

CHAP "username" is the "name" field from RFC 1994 (CHAP).  The "CHAP
ID" value is the general PPP ID field (16 bit number), and the CHAP
Response is the 16 octet Response field from the peer.  The original
CHAP Challenge value is either placed in the Request Authenticator
field of the RADIUS message (if the challenge is 16 octets long) or
it's placed in the CHAP-Challenge attribute (if it's different).

Note that the RADIUS server doesn't control the Challenge value.

--

IronBridge Networks / 55 Hayden Avenue  71.246W    Vox:  +1 781 372 8132
Lexington MA  02421-7996 / USA          42.423N    Fax:  +1 781 372 8190
"PPP Design and Debugging" --- http://people.ne.mediaone.net/carlson/ppp

 
 
 

Which octets are "PAP ID" and "CHAP ID"

Post by jean-luc.sir » Sat, 26 Sep 1998 04:00:00


Thank you so much James !!

When you says : The "ID" field is just the general PPP NCP ID field.
I don't understand : Rather, it isn't the PPP PAP ID field ?

Also you says :  It's a 16 bit number and should be unique ...
I don't understand, because I read in RFC 1334 that : the identifier field is
one octet and aids in matching requests and replies !

After, you says : Note that the RADIUS server doesn't control the Challenge
value.
It seems to me "bizarre" I thought that the challenge was sent by the RADIUS
server in a Access-Challenge RADIUS packet.
(see p.7 "Example" RFC 2138)

Thank you again !
Jean-Luc

 
 
 

Which octets are "PAP ID" and "CHAP ID"

Post by James Carlso » Sat, 26 Sep 1998 04:00:00



> Thank you so much James !!

> When you says : The "ID" field is just the general PPP NCP ID field.
> I don't understand : Rather, it isn't the PPP PAP ID field ?

Same thing.  All PPP NCPs and look-alikes (like PAP) use the same
header format.  That format includes an 8 bit "Identifier" field.
It's the same for all.

Quote:> Also you says :  It's a 16 bit number and should be unique ...
> I don't understand, because I read in RFC 1334 that : the identifier field is
> one octet and aids in matching requests and replies !

Eh ... sorry.  Temporary seizure.  Yes, it's a single octet.

The rest is correct.  It's just a random number so you can tell when
you get a reply whether or not the current request caused it.  If it
doesn't match, you silently discard the message.

Quote:> After, you says : Note that the RADIUS server doesn't control the Challenge
> value.
> It seems to me "bizarre" I thought that the challenge was sent by the RADIUS
> server in a Access-Challenge RADIUS packet.
> (see p.7 "Example" RFC 2138)

No, that's not how it works.  Read further on page 7:

   For CHAP, the NAS generates a random challenge (preferably 16 octets)
   and sends it to the user, who returns a CHAP response along with a
   CHAP ID and CHAP username.  The NAS then sends an Access-Request
   packet to the RADIUS server with the CHAP username as the User-Name

The RADIUS Access-Challenge message is used only after the
Access-Request has started, and that request must have a user name and
password in it.  Access-Challenge is used on text interfaces to add
something after the typical "password" prompt (like an "account:"
prompt).  They could possibly be wired into EAP, if anyone ever
supports it.  But RADIUS Access-Challenge isn't supposed to be used
for PAP or CHAP.

(One of the unfortunate inflexibilities in RADIUS is that the NAS is
required to gather both a username and password before opening the
authentication session with the server.  This means that at least
those two prompts are either required or must be spoofed in a
non-standard way in order to allow guest accounts and such.)

--

IronBridge Networks / 55 Hayden Avenue  71.246W    Vox:  +1 781 372 8132
Lexington MA  02421-7996 / USA          42.423N    Fax:  +1 781 372 8190
"PPP Design and Debugging" --- http://people.ne.mediaone.net/carlson/ppp

 
 
 

Which octets are "PAP ID" and "CHAP ID"

Post by jean-luc.sir » Tue, 29 Sep 1998 04:00:00


 You says : "The RADIUS Access-Challenge message is used only after the
Access-Request has started ..."

I believed that it could function like this :

NAS                                                                             SRV
RADIUS
    --------1st Access-Request (name, passwd ...)--------------->

here, the SRV validates the NAS with a shared secret by NAS/SRV, and then
verificates the password ...
After, "someone" decides that the peer has to be challenge :

    <-----Access-Challenge (Reply-Message=..."challenge"...)-----

here, the NAS sends a challenge packet, takes the reponse from the user, and sends
a second Access-Request to the server RADIUS :

    --------2nd Access-Request--------------------------------->
           (CHAP ID, CHAP response, CHAP username...)
            ( in the right attribute names ...)

Is it the right functionment if it was supposed to be used with PAP or CHAP ?
If that supposition is true, is there the challenge value (random number) inside
the Access-Challenge ?

What does it mean : "They could possibly be wired into EAP, if anyone ever supports
it."

You says : "(One of the unfortunate inflexibilities in RADIUS is that the NAS is
required to gather both a username and password before opening the
authentication session with the server.  This means that at least
those two prompts are either required or must be spoofed in a
non-standard way in order to allow guest accounts and such.) "

I don't understand !!!
THANKS .... see you soon, I guess

 
 
 

Which octets are "PAP ID" and "CHAP ID"

Post by James Carlso » Tue, 29 Sep 1998 04:00:00



> I believed that it could function like this :

> NAS                                                                             SRV
> RADIUS
>     --------1st Access-Request (name, passwd ...)--------------->

> here, the SRV validates the NAS with a shared secret by NAS/SRV, and then
> verificates the password ...
> After, "someone" decides that the peer has to be challenge :

>     <-----Access-Challenge (Reply-Message=..."challenge"...)-----

> here, the NAS sends a challenge packet, takes the reponse from the user, and sends
> a second Access-Request to the server RADIUS :

>     --------2nd Access-Request--------------------------------->
>            (CHAP ID, CHAP response, CHAP username...)
>             ( in the right attribute names ...)

> Is it the right functionment if it was supposed to be used with PAP or CHAP ?

No.  That's not correct for either PAP or CHAP.  The "name" and
"passwd" sent in the Access-Request both come from the CHAP Response
message.  The NAS *MUST* generate a CHAP Challenge *FIRST* in order to
get this CHAP Response to relay to the server.  Once this is done,
there's no point it doing another challenge.

Quote:> If that supposition is true, is there the challenge value (random number) inside
> the Access-Challenge ?

Access-Challenge doesn't do anything for CHAP.

Quote:> What does it mean : "They could possibly be wired into EAP, if anyone ever supports
> it."

EAP is a proposed new authentication protocol for PPP.  It's quite
flexible, but nobody is really using it yet.

Quote:> You says : "(One of the unfortunate inflexibilities in RADIUS is that the NAS is
> required to gather both a username and password before opening the
> authentication session with the server.  This means that at least
> those two prompts are either required or must be spoofed in a
> non-standard way in order to allow guest accounts and such.) "

> I don't understand !!!

I'm afraid I can't do better than that.  RADIUS requires a name and
password in order to make the Access-Request.  Sometimes, after having
gotten a name (like "guest" or "newuser"), you might like to either
provide access directly by skipping the password prompt or perhaps ask
for something different, like a credit card number.  This can't be
done with RADIUS.

--

IronBridge Networks / 55 Hayden Avenue  71.246W    Vox:  +1 781 372 8132
Lexington MA  02421-7996 / USA          42.423N    Fax:  +1 781 372 8190
"PPP Design and Debugging" --- http://people.ne.mediaone.net/carlson/ppp

 
 
 

1. Is "Call Waiting Caller ID" Different Than "Caller ID"?

If I buy a phone or modem and it doesn't specify that it supports
"Call Waiting Caller ID" it probably doesn't support that feature,
right?

"Call Waiting Caller ID" is fairly new, right? So if I bought a modem
that supports "Caller ID" a few years ago, it probably doesn't support
"Call Waiting Caller ID", right?

Do any of the cheap modems ($20) support "Call Waiting Caller ID"?

I want my Linux box to log all my calls so I want a cheap modem
connected to it for this purpose. I have a USR Sportster Voice/FAX
33.6 external that supports "Caller ID" that I can use, but it doesn't
say it supports "Call Waiting Caller ID".

Thanks,

John

2. AmigaOS mentioned on ZDTV's Screen Savers

3. Archives Update: Opera Browsers Now Included

4. Help. How do I open this darn file....

5. Help wanted!!!!********"""""""""///////

6. """seeking telecom consultant per diem basis""""

7. Confused by the term "Rom Monitor", "RXBOOT", "Bootstrap"

8. "ignored", "deferred" vs "drops"

9. "security", "authentication" and "other stuff".

10. ??? "Unofficial IP Address" --- "Proxy Server" VS "Windows2000Server" ???