Freeradius-Users Digest, Vol 5, Issue 91 [faked-from][heur] [sls]

Dag Petersson Dag.Petersson at iqab.se
Sun Oct 2 08:58:12 CEST 2005



-----Original Message-----
From: "freeradius-users-request at lists.freeradius.org"<freeradius-users-request at lists.freeradius.org>
Sent: 05-09-28 19:06:04
To: "freeradius-users at lists.freeradius.org"<freeradius-users at lists.freeradius.org>
Subject: Freeradius-Users Digest, Vol 5, Issue 91 [faked-from][heur] [sls]

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: AccountingReq message authenticator (Michael Lecuyer)
   2. Re: Questions about upgrading Freeradius (Linda Pagillo)
   3. Re: Expose RADIUS packet's identifier  (Alan DeKok)
   4. Re: Questions about upgrading Freeradius  (Alan DeKok)
   5. Re: Chap,LDAP and Passwords :)  (Alan DeKok)
   6. Re: Crashes with 1.0.4/1.0.5,	perhaps connected with slow
      LDAP backend?  (Alan DeKok)
   7. Re: EAP-TLS reject if CN not in MySQL  (Alan DeKok)
   8. Re: Questions about upgrading Freeradius (Dusty Doris)
   9. Re: Questions about upgrading Freeradius (Linda Pagillo)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Sep 2005 10:48:42 -0400
From: Michael Lecuyer <mjl at theorem.com>
Subject: Re: AccountingReq message authenticator
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <433AAD4A.305 at theorem.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

There is no way to generate a message authenticator in an 
Accounting-Request packet the usual way it's generated for an 
Access-Request.

The accounting packet is signed by the client therefore there cannot be 
two signatures created for the entire the packet. By the very nature of 
  creating signature the second signature will alter the packet's 
contents invalidating the first signature.

The Message-Authenticator can be only one of two things. Either it's 
calculated as a hash of the attributes or it's a random number (like the 
Access-Request authenticator). From your information I suspect it's the 
former.

You might try using the traditional MA calculation for the MA on just 
the attributes with an empty (zeroed) MA present and back patch the MA. 
If this works please let me know.

Or, if someone has accounting packets generated with proper MA's please 
send them to me and I'll try some standard hashes. The MA is 
traditionally created as an MD5-HMAC of the shared secret and the entire 
packet's contents with an empty (16 byte) Message-Authenticator. For an 
accounting packet MA use just the attribute block instead of the entire 
packet try just the attributes with the empty MA.


Ashwin Gobind wrote:
> Hi.
> 
>  
> 
> Is there anyway to generate a message authenticator for an accounting 
> request packet.  At the moment I am using JRadius, I need to send an 
> accounting request message to another radius server.  However after I 
> add the message authenticator and send to to another server, the other 
> server complains about “Invalid message authenticator”  (Shared secret 
> is incorrect).
> 
>  
> 
> Here is some code :
> 
> //Proxy request to the wap gateway
> 
>                                                             
> DatagramSocket socket = new DatagramSocket();
> 
>                                                             
> socket.setSoTimeout(5000);
> 
>                                                             //Generate 
> authenticator
> 
>                                                             
> MessageDigest md5 = MessageDigest.getInstance("MD5");
> 
>                                                             
> md5.reset();                   
> 
>                                             md5.update((byte)req.getCode());
> 
>                                             
> md5.update((byte)req.getIdentifier());
> 
>                                             int length = 
> req.getBytes().length;
> 
>                                             byte [] authenticator = 
> req.getAuthenticator();
> 
>                                             byte [] attributeBytes = 
> req.getAttributeBytes(req.getAttributes(),0);
> 
>                                             for (int z=0; z 
> <authenticator.length ; z++ )
> 
>                                                                         
> RadiusLog.debug("Autenticator["+z+"] Before = " + authenticator[z]);
> 
>                                                            
> 
>                                             
> RadiusLog.debug("Autenticator Length: " + authenticator.length);
> 
>                                             RadiusLog.debug("Attributes 
> Length: " + attributeBytes.length);
> 
>                                             RadiusLog.debug("Paket 
> Length: " + length);
> 
>                                            
> 
>                                             String sharedSecret = 
> "testing123";
> 
>                                             md5.update((byte)(length >> 8));
> 
>                                             md5.update((byte)(length & 
> 0xff));
> 
>                                             md5.update(authenticator, 0, 
> authenticator.length);
> 
>                                             md5.update(attributeBytes, 
> 0, attributeBytes.length);
> 
>                                             
> md5.update(sharedSecret.getBytes());        
> 
>                                             
> req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary.MESSAGE_AUTHENTICATOR, 
> authenticator));
> 
>                                                            
> 
>                                             
> System.arraycopy(md5.digest(), 0, authenticator, 0, 16);
> 
> “This e-mail is sent on the Terms and Conditions that can be accessed by 
> Clicking on this link http://www.vodacom.net/legal/email.aspx 
> <http://www.vodacom.net/legal/email.asp> "
> 
> 
> ------------------------------------------------------------------------
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



------------------------------

Message: 2
Date: Wed, 28 Sep 2005 10:17:59 -0500
From: "Linda Pagillo" <linda at n2thenet.com>
Subject: Re: Questions about upgrading Freeradius
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID: <009301c5c43f$cffd60c0$2902a8c0 at com.tnaccess.com>
Content-Type: text/plain;	charset="iso-8859-1"

Thanks for your reply. Is it really this much work to do a simple upgrade?
Is there a shortcut?
----- Original Message ----- 
From: "Dusty Doris" <freeradius at mail.doris.cc>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, September 28, 2005 9:58 AM
Subject: Re: Questions about upgrading Freeradius


> On Wed, 28 Sep 2005, Linda Pagillo wrote:
>
> > Hi everyone:
> >
> > I have been using Freeradius v.0.9.3 for over a year and i wish to
> > upgrade to the latest version. Can anyone give me detailed instructions
> > on how to do this? I use Freeradius in a prodcution enviroment and i
> > can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a
> > ./configure, make and make install like i did the first time? If yes,
> > won't that overwrite all of my current config files? Thanks!
> >
>
> First, I would recommend setting up a lab machine (you can do it on your
> workstation if you need to) to test that your configs work correctly with
> the new version.  Its probably backward compatible, but I wouldn't just
> blindly upgrade on production and hope for the best.
>
> Then you could compile freeradius with --prefix.  This will put all
> configurations, binaries, etc.. into a certain directory.  For example:
>
> ./configure --prefix=/usr/local/freeradius1.0.5
> make
> make install
>
> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change
> your files to make it work like it did in testing.  Shutdown the current
> radius version and start up the new one with
> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working.  If so,
> modify your startup scripts to point to the new version instead of the
> old.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>



------------------------------

Message: 3
Date: Wed, 28 Sep 2005 11:23:31 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Expose RADIUS packet's identifier 
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20050928152332.0133B16CC1 at mail.nitros9.org>

Josh Howlett <josh.howlett at bristol.ac.uk> wrote:
> Does anyone know if the server can expose a RADIUS packet's identifier, 
> for example through mod_exec? Or, is this limited to RADIUS attributes only?

ATTRIBUTE	Packet-Authentication-Vector		1088	octets

  It *could* have been somewhere in the documentation, but...

  Alan DeKok.


------------------------------

Message: 4
Date: Wed, 28 Sep 2005 12:08:13 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Questions about upgrading Freeradius 
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20050928160813.115C916CC1 at mail.nitros9.org>

"Linda Pagillo" <linda at n2thenet.com> wrote:
> Thanks for your reply. Is it really this much work to do a simple upgrade?
> Is there a shortcut?

  Not really.  Doing the upgrade slowly is less work than doing it
quickly, and then having your RADIUS server down because you missed
something.

  Alan DeKok.



------------------------------

Message: 5
Date: Wed, 28 Sep 2005 12:09:11 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Chap,LDAP and Passwords :) 
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20050928160911.41F2616CC1 at mail.nitros9.org>

liz <liz at unixgrrl.net> wrote:
> However, if I turn on CHAP based authentication I get a message from  
> the radius server that USER-PASSWORD is a required attribute.

 You set Auth-Type := LDAP.  Don't do that.  LDAP doesn't understand
CHAP.

> I am going to try another radius plugin I found today on
> sourcegforge to try and narrow it down.

  That's not necessary.

  Alan DeKok.



------------------------------

Message: 6
Date: Wed, 28 Sep 2005 12:12:56 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Crashes with 1.0.4/1.0.5,	perhaps connected with slow
	LDAP backend? 
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20050928161256.3095E16CC1 at mail.nitros9.org>

Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> We do have perfomance problems with our LDAP backend,
> so this sound reasonable, but could this cause the server to crash?

  Yes.  If all of the threads are blocked forever, waiting for the DB
to return data, then the queue of requests grows without bounds.  At
some point, the server says "I'm not making progress, and I can't
recover from this", and kills itself.

  Since the server is *already* effectively dead at that point, it
makes no difference to your network.

  The solution is to fix the database so that it doesn't kill the
server.

  Alan DeKok.



------------------------------

Message: 7
Date: Wed, 28 Sep 2005 12:14:05 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: EAP-TLS reject if CN not in MySQL 
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20050928161405.5BBA516E0B at mail.nitros9.org>

"Jonathan De Graeve" <Jonathan.De.Graeve at imelda.be> wrote:
> imply a group that changes the default ACTIONs to something like
> 
>   fail = 1
>   everythingelse = return
> 
> Tried in config:
> 
> everythingelse = return
> 
> radiusd.conf[1637] Unknown module rcode 'everythingelse'.

  It was NOT meant to be taken literally.

> Any ideas?

  Read doc/configurable_failover, and type in all the other return
codes by hand.

  Alan DeKok.



------------------------------

Message: 8
Date: Wed, 28 Sep 2005 12:48:09 -0400 (EDT)
From: Dusty Doris <freeradius at mail.doris.cc>
Subject: Re: Questions about upgrading Freeradius
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <20050928124746.N93079 at mail.doris.name>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

You consider that much work?  I wish I had your job!

:)

On Wed, 28 Sep 2005, Linda Pagillo wrote:

> Thanks for your reply. Is it really this much work to do a simple upgrade?
> Is there a shortcut?
> ----- Original Message -----
> From: "Dusty Doris" <freeradius at mail.doris.cc>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Sent: Wednesday, September 28, 2005 9:58 AM
> Subject: Re: Questions about upgrading Freeradius
>
>
>> On Wed, 28 Sep 2005, Linda Pagillo wrote:
>>
>>> Hi everyone:
>>>
>>> I have been using Freeradius v.0.9.3 for over a year and i wish to
>>> upgrade to the latest version. Can anyone give me detailed instructions
>>> on how to do this? I use Freeradius in a prodcution enviroment and i
>>> can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a
>>> ./configure, make and make install like i did the first time? If yes,
>>> won't that overwrite all of my current config files? Thanks!
>>>
>>
>> First, I would recommend setting up a lab machine (you can do it on your
>> workstation if you need to) to test that your configs work correctly with
>> the new version.  Its probably backward compatible, but I wouldn't just
>> blindly upgrade on production and hope for the best.
>>
>> Then you could compile freeradius with --prefix.  This will put all
>> configurations, binaries, etc.. into a certain directory.  For example:
>>
>> ./configure --prefix=/usr/local/freeradius1.0.5
>> make
>> make install
>>
>> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change
>> your files to make it work like it did in testing.  Shutdown the current
>> radius version and start up the new one with
>> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working.  If so,
>> modify your startup scripts to point to the new version instead of the
>> old.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


------------------------------

Message: 9
Date: Wed, 28 Sep 2005 11:58:04 -0500
From: "Linda Pagillo" <linda at n2thenet.com>
Subject: Re: Questions about upgrading Freeradius
To: "FreeRadius users mailing list"
	<freeradius-users at lists.freeradius.org>
Message-ID: <00b901c5c44d$cb1f9e20$2902a8c0 at com.tnaccess.com>
Content-Type: text/plain;	charset="iso-8859-1"

I wish you had my job too because i'm about fed up with this crap.. Anyway,
thanks for the reply, i'll do it.
----- Original Message ----- 
From: "Dusty Doris" <freeradius at mail.doris.cc>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Wednesday, September 28, 2005 11:48 AM
Subject: Re: Questions about upgrading Freeradius


> You consider that much work?  I wish I had your job!
>
> :)
>
> On Wed, 28 Sep 2005, Linda Pagillo wrote:
>
> > Thanks for your reply. Is it really this much work to do a simple
upgrade?
> > Is there a shortcut?
> > ----- Original Message -----
> > From: "Dusty Doris" <freeradius at mail.doris.cc>
> > To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
> > Sent: Wednesday, September 28, 2005 9:58 AM
> > Subject: Re: Questions about upgrading Freeradius
> >
> >
> >> On Wed, 28 Sep 2005, Linda Pagillo wrote:
> >>
> >>> Hi everyone:
> >>>
> >>> I have been using Freeradius v.0.9.3 for over a year and i wish to
> >>> upgrade to the latest version. Can anyone give me detailed
instructions
> >>> on how to do this? I use Freeradius in a prodcution enviroment and i
> >>> can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a
> >>> ./configure, make and make install like i did the first time? If yes,
> >>> won't that overwrite all of my current config files? Thanks!
> >>>
> >>
> >> First, I would recommend setting up a lab machine (you can do it on
your
> >> workstation if you need to) to test that your configs work correctly
with
> >> the new version.  Its probably backward compatible, but I wouldn't just
> >> blindly upgrade on production and hope for the best.
> >>
> >> Then you could compile freeradius with --prefix.  This will put all
> >> configurations, binaries, etc.. into a certain directory.  For example:
> >>
> >> ./configure --prefix=/usr/local/freeradius1.0.5
> >> make
> >> make install
> >>
> >> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change
> >> your files to make it work like it did in testing.  Shutdown the
current
> >> radius version and start up the new one with
> >> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working.  If
so,
> >> modify your startup scripts to point to the new version instead of the
> >> old.
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >>
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>



------------------------------

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 5, Issue 91
***********************************************




More information about the Freeradius-Users mailing list