Hello,
I am using MikroTik HotSpot and I have an external login page which is authenticates based on CHAP authentication.
Tha CHAP authentication using md5.js hashing methods to authenticate the users.
But I have concerns that if someone has the md5.js file and trace my chap-id and chap-challenge, he/she can authenticate the user in.
Is there a way to change the hashing of CHAP authentication in MikroTik?
So if someone has the md5.js file, he/she can do notihng.
Thank you in Advance.
The only thing md5.js provides is an implementation of the MD5 algorithm, as a JavaScript function. If someone has access to that file, the only thing they can do is compute an MD5 hash of a string that they supply. Nothing more, nothing less.
The chap-id and chap-challenge are RouterOS variables that are only populated by the router itself on its own pages.
Thank you for the tips.
Because I use an external login page, I have to provide chap-id and chap-challenge in my login page in MikroTik.
So if someone call the login URL (http://xx.xx.xx.xx/login) using JSONP, he/she can parse my page and find the chap-id and chap-challenge and use them.
Is there a way to secure this issue?
Thank you in Advance.
If someone calls the page via JavaScript, they must provide a chap-id and chap-challenge, that your server will then send back to the router.
If the chap-id/chap-challenge doesn’t match or is not provided, the server will send it to the router anyway, but the router won’t let them log in.
And the only way it can match is if they know the chap-id/chap-challenge, which they would only if the JavaScript was at the router’s login page. You can’t prevent users from executing their own JavaScript code inside their browser (using the “javascript” URI scheme). Even if you’re not using an external login page, users can still run a custom JavaScript over the router’s login page, ultimately logging in.