RADIUS CHAP authentication
Introduction and overview
The CHAP AuthState authenticates users using a CHAP authentication. It is intended to be used with a CHAP-enabled protocol such as RADIUS (via the RADIUS facade). CHAP authentication requires the client's password to be available at the server-side in plain text. However, the password is never sent over the network.
Description
The following table describes the characteristics of the AuthState.
| Topic | Description |
|---|---|
| Class | ch.nevis.esauth.auth.states.standard.CHAP |
| Logging | StdStates |
| Auditing | none |
| Marker | CHAP / user name and password |
| Properties | chapPassword (string, -)Received RADIUS CHAP password, Base64 encoded. |
| chapChallenge (string, -)Received RADIUS CHAP challenge, Base64 encoded. | |
| plainPassword (string, -)The plaintext password of the client. This is the common secret between client and server. It is used in combination with the CHAP challenge, to generate the hash that is validated against the received CHAP password. | |
| Properties | userid (string, -)The user to authenticate upon success. |
| hashAlgorithm (string, "MD5")Hashing algorithm to be used. Must be MD5 for RADIUS setups. | |
| issueChallenge (boolean, "false")If false, the challenge can be chosen by the client. Normally, a client in this case is a trusted proxy/NAS. This setup is stateless.If true, nevisAuth issues new challenges and only accepts previously issued challenges. The challenge is remembered in the user's session. If used with the RADIUS facade, the State attribute must be delegated to the client to maintain a state. | |
| Methods | process |
| Input | none (except over variable substitution) |
| Transitions | ok: User was successfully authenticated. |
| challenge (optional): A new random challenge was issued. | |
| default: An error happened. | |
| Output | none |
| Errors | none |
| Session | chap.challengeA new random CHAP challenge (Base64 encoded for the RADIUS facade) if issueChallenge is active and no chapChallenge was given as input argument. If a chapChallenge is given, it is compared to the current session entry. |
<!-- minimal sample snipped to enforce a challenge from the client -->
<RadiusResponse code="Access-Challenge" if="${response:result:challenge}">
<RadiusAttribute type="Reply-Message" value="CHAP-Authentication required"/>
<RadiusAttribute type="State" value="${sess:Id}"/>
<RadiusAttribute type="CHAP-Challenge" value="${sess:chap.challenge}"/>
</RadiusResponse>
Example
<AuthState name="ChapAuthentication"
class="ch.nevis.esauth.auth.states.standard.CHAP" final="false">
<ResultCond name="default" next="AuthError" />
<ResultCond name="ok" next="AuthDone" />
<Response value="AUTH_ERROR">
<Gui name="AuthErrorDialog"/>
</Response>
<property name="chapPassword" value="${inargs:chapPassword}" />
<property name="chapChallenge" value="${inargs:chapChallenge}" />
<property name="plainPassword" value="${notes:user.password.plain}" />
<property name="userid" value="${inargs:isiwebuserid}" />
</AuthState>
<!-- to be used with a radius facade> -->
<RadiusInput type="User-Name" inArg="isiwebuserid"/>
<RadiusInput type="CHAP-Password" inArg="chapPassword"/>
<RadiusInput type="CHAP-Challenge" inArg="chapChallenge"/>
-->