I stumbled across a Cisco document today describing MD5-sess integration
with their Radius server. Quite smart scheme but will require some
redesign of our Digest helper protocol making it in some sense similar to
the NTLM helpers.
<url:http://www.cisco.com/en/US/products/sw/netmgtsw/ps411/prod_release_note09186a00800ab728.html>
HTTP Digest Authentication
HTTP Digest is an encryption method used by protocols such as Hypertext
Transport Protocol (HTTP), Session Initiation Protocol (SIP), and
Extensible Authentication Protocol (EAP).
Cisco Access Registrar 3.0R6 provides an interface to authenticate RADIUS
clients based on HTTP Digest. The client sends an Access-Request packet
containing a Digest-Response and associated Digest Attributes. The Cisco
AR server computes a value based on the user's profile and compares this
with the digest response to return an Access-Accept or Access-Reject.
The Cisco AR server generates a session key based on Internet RFC 2617,
the RADIUS Extension for Digest Authentication. The generated session key
is delivered to the client using the MS-MPPE-Recv-Key attribute in the
Access-Accept packet if the algorithm specified in the Access-Request is
MD5-sess.
Or to summarise, the Radius server is the initial Digest endpoint but
upon successful authentication the MD5-sess HA1 session key is returned
allowing the client (would be Squid) to verify further Digest exchanges in
the same session until the server nonce expires.
1. asks the Radius sever for a MD5-sess Digest challenge. This challenge
includes the server nonce.
2. send client Digest respose to Radius server.
3. If successful, MD5-sess HA1 session key returned by the radius server.
4. From this point on Digest responses can be verified directly based on
the MD5-sess session key.
Regards
Henrik
Received on Mon Feb 09 2004 - 18:49:28 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:04 MST