> I believed that it could function like this :
> NAS SRV
> --------1st Access-Request (name, passwd ...)--------------->
> here, the SRV validates the NAS with a shared secret by NAS/SRV, and then
> verificates the password ...
> After, "someone" decides that the peer has to be challenge :
> <-----Access-Challenge (Reply-Message=..."challenge"...)-----
> here, the NAS sends a challenge packet, takes the reponse from the user, and sends
> a second Access-Request to the server RADIUS :
> --------2nd Access-Request--------------------------------->
> (CHAP ID, CHAP response, CHAP username...)
> ( in the right attribute names ...)
> Is it the right functionment if it was supposed to be used with PAP or CHAP ?
No. That's not correct for either PAP or CHAP. The "name" and
"passwd" sent in the Access-Request both come from the CHAP Response
message. The NAS *MUST* generate a CHAP Challenge *FIRST* in order to
get this CHAP Response to relay to the server. Once this is done,
there's no point it doing another challenge.
Quote:> If that supposition is true, is there the challenge value (random number) inside
> the Access-Challenge ?
Access-Challenge doesn't do anything for CHAP.
Quote:> What does it mean : "They could possibly be wired into EAP, if anyone ever supports
EAP is a proposed new authentication protocol for PPP. It's quite
flexible, but nobody is really using it yet.
> You says : "(One of the unfortunate inflexibilities in RADIUS is that the NAS is
> required to gather both a username and password before opening the
> authentication session with the server. This means that at least
> those two prompts are either required or must be spoofed in a
> non-standard way in order to allow guest accounts and such.) "
> I don't understand !!!
I'm afraid I can't do better than that. RADIUS requires a name and
password in order to make the Access-Request. Sometimes, after having
gotten a name (like "guest" or "newuser"), you might like to either
provide access directly by skipping the password prompt or perhaps ask
for something different, like a credit card number. This can't be
done with RADIUS.
IronBridge Networks / 55 Hayden Avenue 71.246W Vox: +1 781 372 8132
Lexington MA 02421-7996 / USA 42.423N Fax: +1 781 372 8190
"PPP Design and Debugging" --- http://people.ne.mediaone.net/carlson/ppp