Skip to main content
Version: 4.32.x.x LTS

RADIUS CHAP authentication

Introduction and overview

The CHAP AuthState authenticates users using a CHAP authentication. It is intended to be used with a CHAP-enabled protocol such as RADIUS (via the RADIUS facade). CHAP authentication requires the client's password to be available at the server-side in plain text. However, the password is never sent over the network.

Description

The following table describes the characteristics of the AuthState.

TopicDescription
Classch.nevis.esauth.auth.states.standard.CHAP
LoggingStdStates
Auditingnone
MarkerCHAP / user name and password
PropertieschapPassword (string, -)Received RADIUS CHAP password, Base64 encoded.
chapChallenge (string, -)Received RADIUS CHAP challenge, Base64 encoded.
plainPassword (string, -)The plaintext password of the client. This is the common secret between client and server. It is used in combination with the CHAP challenge, to generate the hash that is validated against the received CHAP password.
Propertiesuserid (string, -)The user to authenticate upon success.
hashAlgorithm (string, "MD5")Hashing algorithm to be used. Must be MD5 for RADIUS setups.
issueChallenge (boolean, "false")If false, the challenge can be chosen by the client. Normally, a client in this case is a trusted proxy/NAS. This setup is stateless.If true, nevisAuth issues new challenges and only accepts previously issued challenges. The challenge is remembered in the user's session. If used with the RADIUS facade, the State attribute must be delegated to the client to maintain a state.
Methodsprocess
Inputnone (except over variable substitution)
Transitionsok: User was successfully authenticated.
challenge (optional): A new random challenge was issued.
default: An error happened.
Outputnone
Errorsnone
Sessionchap.challengeA new random CHAP challenge (Base64 encoded for the RADIUS facade) if issueChallenge is active and no chapChallenge was given as input argument. If a chapChallenge is given, it is compared to the current session entry.
<!-- minimal sample snipped to enforce a challenge from the client -->
<RadiusResponse code="Access-Challenge" if="${response:result:challenge}">
<RadiusAttribute type="Reply-Message" value="CHAP-Authentication required"/>
<RadiusAttribute type="State" value="${sess:Id}"/>
<RadiusAttribute type="CHAP-Challenge" value="${sess:chap.challenge}"/>
</RadiusResponse>

Example

<AuthState name="ChapAuthentication"
class="ch.nevis.esauth.auth.states.standard.CHAP" final="false">
<ResultCond name="default" next="AuthError" />
<ResultCond name="ok" next="AuthDone" />
<Response value="AUTH_ERROR">
<Gui name="AuthErrorDialog"/>
</Response>
<property name="chapPassword" value="${inargs:chapPassword}" />
<property name="chapChallenge" value="${inargs:chapChallenge}" />
<property name="plainPassword" value="${notes:user.password.plain}" />
<property name="userid" value="${inargs:isiwebuserid}" />
</AuthState>

<!-- to be used with a radius facade> -->
<RadiusInput type="User-Name" inArg="isiwebuserid"/>
<RadiusInput type="CHAP-Password" inArg="chapPassword"/>
<RadiusInput type="CHAP-Challenge" inArg="chapChallenge"/>
-->