FreeRadius Proxying and Message-Authenticator

Paolo Rotela paolo.rotela at bluetelecom.com
Mon Sep 19 14:58:22 CEST 2005


Hi people. I'm posting this in case it can be useful to anybody that wants 
to do the same as me.

At the moment is the only way I found to make FreeRADIUS to proxy packets to 
a Cisco Secure ACS. I know it's a dumb patch, it is simply an "if" wich 
ignores the check of attribute "Message-Authenticator" for 
Accounting-Response packets. Anyway I wanted to test it as far as I could. 
By now it was working from last Thursday up to now, and without problems.

I hope some day an RFC arrives to bring light to de darkness of this 
attribute.

I only want to clarify that this is not an specific issue that I came 
across. It's a gereric issue between FreeRADIUS and Cisco.

This is the patch file I used in the radius.c code:

# cat freeradius.patch
diff -Naur freeradius-1.0.5-patched/src/lib/radius.c 
freeradius-1.0.5/src/lib/radius.c
--- freeradius-1.0.5-patched/src/lib/radius.c   2005-09-16 
09:39:53.345956517 -0300
+++ freeradius-1.0.5/src/lib/radius.c   2005-08-19 16:43:46.000000000 -0300
@@ -669,7 +669,7 @@
                memset ((char *) &salocal, '\0', sizeof (salocal));
                salocal.sin_family = AF_INET;
                salocal.sin_addr.s_addr = packet->src_ipaddr;
-
+
                return sendfromto(packet->sockfd, packet->data, 
(int)packet->data_len, 0,
                                  (struct sockaddr *)&salocal, 
sizeof(struct sockaddr_in),
                                  (struct sockaddr *)&saremote, 
sizeof(struct sockaddr_in));
@@ -1198,23 +1198,15 @@
                          break;
                        }

-                       /*  Patch by Martin Arrieta and Paolo Rotela.
-                        *  Ignores Message-Authenticator in Accounting 
Response packets
-                        *  Because RFCs doesn't specify how to calculate 
it.
-                        *  It prevents Dropping packets when proxying 
Accounting-Requests
-                        *  to Cisco Secure ACS and possibily other 
implementations.
-                        */
-                       if (packet->code != PW_ACCOUNTING_RESPONSE) {
-                               lrad_hmac_md5(packet->data, 
packet->data_len,
-                                             secret, strlen(secret), 
calc_auth_vector);
-                               if (memcmp(calc_auth_vector, 
msg_auth_vector,
-                                           sizeof(calc_auth_vector)) != 0) 
{
-                                               char buffer[32];
-                                               librad_log("Received packet 
from %s with invalid Message-Authenticator!  (Shared secret is incorrect.)",
-                                                  ip_ntoa(buffer, 
packet->src_ipaddr));
-                                               return -1;
-                               } /* else the message authenticator was good 
*/
-                       }
+                       lrad_hmac_md5(packet->data, packet->data_len,
+                                     secret, strlen(secret), 
calc_auth_vector);
+                       if (memcmp(calc_auth_vector, msg_auth_vector,
+                                   sizeof(calc_auth_vector)) != 0) {
+                               char buffer[32];
+                               librad_log("Received packet from %s with 
invalid Message-Authenticator!  (Shared secret is incorrect.)",
+                                          ip_ntoa(buffer, 
packet->src_ipaddr));
+                               return -1;
+                       } /* else the message authenticator was good */

                        /*
                         *      Reinitialize Authenticators.



----- Original Message ----- 
From: "Thor Spruyt" <thor.spruyt at telenet.be>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, September 15, 2005 5:58 PM
Subject: Re: FreeRadius Proxying and Message-Authenticator


> Alan DeKok wrote:
>> "Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
>>> So you are implementing YOUR radius to support YOUR PROPOSED
>>> method... well it seems some propietary...
>
> If one wants control over a project, one should start his own project.
>
> It's clear to everybody that FreeRadius is widely used because it's strong
> and serves a general purpose (not to mention that it's free).
> So if one needs something specific to one's needs, one should contribute 
> and
> hope that the project coordinators will see a general benefit.
>
> Please do not reply... I just wanted to give Alan some credit, so that the
> FreeRadius project will continue to evolve like it has before.
>
> --
> Groeten, Regards, Salutations,
>
> Thor Spruyt
> M: +32 (0)475 67 22 65
> E: thor.spruyt at telenet.be
> W: www.thor-spruyt.com
>
> www.salesguide.be
> www.telenethotspot.be
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 




More information about the Freeradius-Users mailing list