Skip to main content

7.3 User with Challenge-Response card

7.3. User with Challenge-Response card

The NAS at 192.168.1.16 sends an Access-Request UDP packet to the RADIUS Server for a user named mopsy logging in on port 7. The user enters the dummy password "challenge" in this example. The challenge and response generated by the smart card for this example are "32769430" and "99101462".

The Request Authenticator is a 16 octet random number generated by the NAS.

The User-Password is 16 octets of password, in this case "challenge", padded at the end with nulls, XORed with MD5(shared secret|Request Authenticator).

  01 02 00 39 f3 a4 7a 1f 6a 6d 76 71 0b 94 7a b9
  30 41 a0 39 01 07 6d 6f 70 73 79 02 12 33 65 75
  73 77 82 89 b5 70 88 5e 15 08 48 25 c5 04 06 c0
  a8 01 10 05 06 00 00 00 07

1 Code = Access-Request (1) 1 ID = 2 2 Length = 57 16 Request Authenticator

  Attributes:
   7 User-Name (1) = "mopsy"
  18 User-Password (2)
   6  NAS-IP-Address (4) = 192.168.1.16
   6  NAS-Port (5) = 7

The RADIUS server decides to challenge mopsy, sending back a challenge string and looking for a response. The RADIUS server therefore and sends an Access-Challenge UDP packet to the NAS.

The Response Authenticator is a 16-octet MD5 checksum of the code (11), id (2), length (78), the Request Authenticator from above, the attributes in this reply, and the shared secret.

The Reply-Message is "Challenge 32769430. Enter response at prompt."

The State is a magic cookie to be returned along with user's response; in this example 8 octets of data (33 32 37 36 39 34 33 30 in hex).

  0b 02 00 4e 36 f3 c8 76 4a e8 c7 11 57 40 3c 0c
  71 ff 9c 45 12 30 43 68 61 6c 6c 65 6e 67 65 20
  33 32 37 36 39 34 33 30 2e 20 20 45 6e 74 65 72
  20 72 65 73 70 6f 6e 73 65 20 61 74 20 70 72 6f
  6d 70 74 2e 18 0a 33 32 37 36 39 34 33 30

   1 Code = Access-Challenge (11)
   1 ID = 2 (same as in Access-Request)
   2 Length = 78
  16 Response Authenticator

  Attributes:
  48  Reply-Message (18)
  10  State (24)

The user enters his response, and the NAS send a new Access-Request with that response, and includes the State Attribute.

The Request Authenticator is a new 16 octet random number.

The User-Password is 16 octets of the user's response, in this case "99101462", padded at the end with nulls, XORed with MD5(shared secret|Request Authenticator).

The state is the magic cookie from the Access-Challenge packet, unchanged.

  01 03 00 43 b1 22 55 6d 42 8a 13 d0 d6 25 38 07
  c4 57 ec f0 01 07 6d 6f 70 73 79 02 12 69 2c 1f
  20 5f c0 81 b9 19 b9 51 95 f5 61 a5 81 04 06 c0
  a8 01 10 05 06 00 00 00 07 18 10 33 32 37 36 39
  34 33 30

   1 Code = Access-Request (1)
   1 ID = 3 (Note that this changes.)
   2 Length = 67
  16 Request Authenticator

  Attributes:
   7  User-Name = "mopsy"
  18  User-Password
   6  NAS-IP-Address (4) = 192.168.1.16
   6  NAS-Port (5) = 7
  10  State (24)

The Response was incorrect (for the sake of example), so the RADIUS server tells the NAS to reject the login attempt.

The Response Authenticator is a 16 octet MD5 checksum of the code (3), id (3), length(20), the Request Authenticator from above, the attributes in this reply (in this case, none), and the shared secret.

  03 03 00 14 a4 2f 4f ca 45 91 6c 4e 09 c8 34 0f
  9e 74 6a a0

   1 Code = Access-Reject (3)
   1 ID = 3 (same as in Access-Request)
   2 Length = 20
  16 Response Authenticator

  Attributes:
     (none, although a Reply-Message could be sent)
Last updated on