Hi guys. i searched through the forum but couldn't quite find the answer.
I have a php server with a login page that users log in to that to access our local resources. now what I want to do is to use the same server to redirect the users after they've logged in, to the Hotspot login page that will redirect them to another php page for external login ( base on http://wiki.mikrotik.com/wiki/HotSpot_e ... login_page ). that php page will decide if whether the user is allowed to access the Internet or not and if it is, it does the MD5 hash itself (with a pass that is unknown to the user) and gives the hash to the user so it could do a POST and logs in.
as It's quite obvious, i wanna do some sort of external authentication, without RADIUS server. and the actual pass for the Hotspot is unknown even for the user. because of the nature of what i want to do, the only solution seems to be HTTP CHAP. now i have 2 questions:
1- I think what i want to achieve is doable but i would love some expert's opinion on that.
2- how exactly chap-id and chap-challenge are generated? are they different every time? and are they destroyed after one use? basically user should not have a way to login again with the same MD5 hash. and only php server should be able to generate another one for him.
Thanks in advance
Re: What exactly are chap-id/chap-challenge?
The chap-id and chap-challenge are used to encrypt the password so it will not be transmitted in clear text.
Why not use http-pap instead of http-chap for the login? That way no MD5 encryption at all.
MD5 encryption is probably a little different than most expect. There is not a "decrypt" method on the receiving end. It is a dual encryption method.
1) The password is encrypted in the client computer using the time-sensitive chap-challenge sent by the router in the login.html page.
2) The chap-challenge and the encrypted password are sent to the router/server for authentication.
3) The router or server retrieves the user's password from the database, encrypts it with the chap-challenge sent from the client, and compares that encrypted password with the encrypted password sent by the client.
4) If they match, sends Access-Accept. If they don't, sends Access-Reject.
Why not use http-pap instead of http-chap for the login? That way no MD5 encryption at all.
Code: Select all
/ip hotspot profile
set X login-by=http-pap1) The password is encrypted in the client computer using the time-sensitive chap-challenge sent by the router in the login.html page.
2) The chap-challenge and the encrypted password are sent to the router/server for authentication.
3) The router or server retrieves the user's password from the database, encrypts it with the chap-challenge sent from the client, and compares that encrypted password with the encrypted password sent by the client.
4) If they match, sends Access-Accept. If they don't, sends Access-Reject.
Re: What exactly are chap-id/chap-challenge?
Thank you for your reply.
I also did some testing on chap-id / chap-challenge . as it was expected, they change as they should. I am almost there. i just need to put all the pieces together.
Edit: for those who might be interested, you can generate the right md5 hash in php like this:
As i stated, i dont want the users to be able to login to the hotspot without the permission of the external server first. a non encrypted password would ruin everything as the client could easily use it again to login. the real solution for this, is ofc RADIUS server. now i want to achieve the same thing, without RADIUS server. i already created the necessary files and was able to reproduce the correct md5 hash with php.Why not use http-pap instead of http-chap for the login? That way no MD5 encryption at all.
I also did some testing on chap-id / chap-challenge . as it was expected, they change as they should. I am almost there. i just need to put all the pieces together.
Edit: for those who might be interested, you can generate the right md5 hash in php like this:
Code: Select all
<?php
function get_string($c)
{
$c2 = explode('\\',$c);
$c3 = array();
foreach($c2 as $cc) {
$c3[] = chr(octdec($cc));
}
$c3 = implode('',$c3);
return(substr($c3,1));
}
$pass = 'test';
$rd4md5 = get_string($_POST['chap-id']).$pass.get_string($_POST['chap-challenge']);
echo md5($rd4md5);
?>
Last edited by Devil on Sat Aug 13, 2011 3:03 pm, edited 2 times in total.
Re: What exactly are chap-id/chap-challenge?
I am not certain I understand. If the MD5 encryption is accomplished in the PHP code (server side), you have lost your security on the client side.
I use wireless and use the http-chap login method for that reason. I don't use SSL login pages, so without that, the password would go in the clear from the client computer to the server over a wireless connection that has no other security (no wep or wpa). That is unacceptable to me. It is the most dangerous part of the connection.
The alternative is using SSL logins and http-pap. fewi is the expert on that.
ADD: I know where everything happens and how it affects security. I wrote that wiki article.
I use wireless and use the http-chap login method for that reason. I don't use SSL login pages, so without that, the password would go in the clear from the client computer to the server over a wireless connection that has no other security (no wep or wpa). That is unacceptable to me. It is the most dangerous part of the connection.
The alternative is using SSL logins and http-pap. fewi is the expert on that.
ADD: I know where everything happens and how it affects security. I wrote that wiki article.
Re: What exactly are chap-id/chap-challenge?
Why would i lose security on the client side? the client doesn't even know the password. it only gets an one-time-use md5 hash. and the next time, chap-id/chap-challenge are changed. so the client should again request a new hash through the external server.I am not certain I understand. If the MD5 encryption is accomplished in the PHP code (server side), you have lost your security on the client side.
even SSL login is not an option for me cause although it encrypts the connection between the client/server, the client still should send the password as a plain-text. meaning the client could see the pass easily and re-use that without getting permission of the external server first.The alternative is using SSL logins
Re: What exactly are chap-id/chap-challenge?
Let me repeat this so I insure I know what you want.
You want to "pre-encrypt" the password stored in the php code with the current chap-challenge before it goes to the client, and put those entries into the login.php login form?
If that is it, then I might be able to come up with the rest of the code for you.
You want to "pre-encrypt" the password stored in the php code with the current chap-challenge before it goes to the client, and put those entries into the login.php login form?
If that is it, then I might be able to come up with the rest of the code for you.
Re: What exactly are chap-id/chap-challenge?
Yes. something like that. Thank you for your offer. i appropriate it 
. but i already did the hardest part which was generating the correct md5 hash. was quite hard tbh. the rest is way easier. and quite done already.
i might decide to create a wiki about it later on cause I'm pretty sure no one has approached it like that.
. but i already did the hardest part which was generating the correct md5 hash. was quite hard tbh. the rest is way easier. and quite done already.i might decide to create a wiki about it later on cause I'm pretty sure no one has approached it like that.
Re: What exactly are chap-id/chap-challenge?
I have not tried this. This is modified from the original code in the wiki:
I used a username inserted from the login.php page also.
Assign the username to a variable "$myUsername" in the login.php code.
Assign the chap-password you created in the login.php code to a variable "$myChapPassword". Then use the form above instead of the default "sendin" form in login.php.
Would that do?
Edit: I removed the extra '>' from the end of $myUsername .
Code: Select all
<form name="sendin" action="<?php echo $linkloginonly; ?>" method="post">
<input type="hidden" name="username" value="<?php echo $myUsername; ?>"/>
<input type="hidden" name="password" value="<?php echo $myChapPassword; ?>"/>
<input type="hidden" name="dst" value="<?php echo $linkorig; ?>" />
<input type="hidden" name="popup" value="true" />
</form>
I used a username inserted from the login.php page also.
Assign the username to a variable "$myUsername" in the login.php code.
Assign the chap-password you created in the login.php code to a variable "$myChapPassword". Then use the form above instead of the default "sendin" form in login.php.
Would that do?
Edit: I removed the extra '>' from the end of $myUsername .
Last edited by SurferTim on Sat Aug 13, 2011 4:31 pm, edited 1 time in total.
Re: What exactly are chap-id/chap-challenge?
yes. something like that would work. thank you
although technically, it shouldn't be named as $myChapPassword but rather $mymd5hash
although technically, it shouldn't be named as $myChapPassword but rather $mymd5hash
Re: What exactly are chap-id/chap-challenge?
That is fine.
I did forget one thing. You will need to remove the assignments to that in the doLogin Javascript routine. Change the script just below that form to this:
Notice no value assignments. That would overwrite the "defaults" you installed with the php code.
I did forget one thing. You will need to remove the assignments to that in the doLogin Javascript routine. Change the script just below that form to this:
Code: Select all
<script type="text/javascript">
<!--
function doLogin() {
document.sendin.submit();
return false;
}
//-->
</script>Re: What exactly are chap-id/chap-challenge?
yes. I am checking/rewriting the whole thing. probably would take couple of more days to make this puppet work. but I'm close enough. thank you again for your help
Who is online
Users browsing this forum: Bing [Bot], randomseed and 106 guests