Community discussions

MikroTik App
 
User avatar
SpiderMattX
just joined
Topic Author
Posts: 6
Joined: Fri Jan 29, 2021 1:43 pm
Location: Indiana, United States

Manual RADIUS CHAP Validation Endlessly Failing

Fri Dec 30, 2022 4:04 pm

Hi everyone,

So I have a fairly basic scenario where I have a freeRADIUS server acting as nothing more than a communication proxy to my own access controller. This is accomplished through the use of a simple Python module that makes use of the rlm_python3 freeRADIUS module to send requests to my controller's HTTP API.

The issue I'm having is with properly hashing the various values to create my own verification hash for comparing to the CHAP-Password value provided in the RADIUS Access-Request. Here is my basic Python code that is attempting to handle this verification process but I have yet to create any solution that actually validates the request properly. If anyone can tell me what the obvious thing is I'm almost certainly missing, it would be incredibly appreciated! I suspect I'm not using appropriate data types or something along those lines given that all the implementation examples I have read through, seem to indicate I have the order of things correct.

        if auth_type == 'ppp':
            user_id: str = str(payload['request']['User-Name'])
            chap_id: str = str(payload['request']['CHAP-Password'])[2:4]
            chap_password: str = payload['request']['CHAP-Password'][4:]
            chap_challenge: str = str(payload['request']['CHAP-Challenge'])[2:]

            subs: QuerySet = AccountSubscription.objects.filter(username=user_id).order_by('-id')
            if subs.count():
                sub: AccountSubscription = subs[0]
                hasher = hashlib.md5()

                hasher.update(chap_id.encode('ascii'))
                hasher.update(sub.password.encode('ascii'))
                hasher.update(chap_challenge.encode('ascii'))

                if chap_password == hasher.hexdigest():
                    subscription = sub
                else:
                    status = 401
 
binooetomo
just joined
Posts: 17
Joined: Sat Nov 12, 2016 7:08 am

Re: Manual RADIUS CHAP Validation Endlessly Failing

Sat Mar 11, 2023 9:49 am

Dis you solve the problem?

Looks like you wrote the code using Django framework (cmiiw).

I also play with Mikrotik + freeradius + django back in 2020.
FreeRadius is Authenticator.
What it request trough rlm_rest, is the Authorize

Freeradius expect json response with format :
'control:__ATTRIBUTE_NAME__': value,
'replay':__ATTRIBUTE_NAME__':value
'control' is the Authentication part. It have:
'control:User-Name': Value , and
'control:Clear-Text-Password': Value

for authentication process, FreeRadius will use chalenge agains value of 'Clear-Text-Password'.
and compare it to the already encrypted password for decission.

So ... AFAIK .. to work with rlm_rest we have to know how to get Clear text pass word from our user data source.

Django save user password hashed.

what I've done is for 'Hotspot service'.
I endup using PAP.

-bino-

Who is online

Users browsing this forum: AshuGite, jamesperks, Michiganbroadband, patrikg and 77 guests