Freeradius-Users Digest, Vol 5, Issue 91
Ashwin Gobind
Ashwin.Gobind at vodacom.co.za
Wed Sep 28 20:09:30 CEST 2005
If the message authenticator is all zeros, then I can send a request
from one freeradius server to another with out any problems. The problem
is when I user Radiator with freeradius sending accounting messages to
it, it complains about Authentication failure. So I assumed that
Radiator does not like a blank MA. Hence I tried to produce one and add
it to the accounting packet before sending it to Radiator. However it
still fails.
-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
freeradius-users-request at lists.freeradius.org
Sent: 28 September 2005 07:06 PM
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 5, Issue 91
Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org
You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: AccountingReq message authenticator (Michael Lecuyer)
2. Re: Questions about upgrading Freeradius (Linda Pagillo)
3. Re: Expose RADIUS packet's identifier (Alan DeKok)
4. Re: Questions about upgrading Freeradius (Alan DeKok)
5. Re: Chap,LDAP and Passwords :) (Alan DeKok)
6. Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow
LDAP backend? (Alan DeKok)
7. Re: EAP-TLS reject if CN not in MySQL (Alan DeKok)
8. Re: Questions about upgrading Freeradius (Dusty Doris)
9. Re: Questions about upgrading Freeradius (Linda Pagillo)
----------------------------------------------------------------------
Message: 1
Date: Wed, 28 Sep 2005 10:48:42 -0400
From: Michael Lecuyer <mjl at theorem.com>
Subject: Re: AccountingReq message authenticator
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <433AAD4A.305 at theorem.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
There is no way to generate a message authenticator in an
Accounting-Request packet the usual way it's generated for an
Access-Request.
The accounting packet is signed by the client therefore there cannot be
two signatures created for the entire the packet. By the very nature of
creating signature the second signature will alter the packet's
contents invalidating the first signature.
The Message-Authenticator can be only one of two things. Either it's
calculated as a hash of the attributes or it's a random number (like the
Access-Request authenticator). From your information I suspect it's the
former.
You might try using the traditional MA calculation for the MA on just
the attributes with an empty (zeroed) MA present and back patch the MA.
If this works please let me know.
Or, if someone has accounting packets generated with proper MA's please
send them to me and I'll try some standard hashes. The MA is
traditionally created as an MD5-HMAC of the shared secret and the entire
packet's contents with an empty (16 byte) Message-Authenticator. For an
accounting packet MA use just the attribute block instead of the entire
packet try just the attributes with the empty MA.
Ashwin Gobind wrote:
> Hi.
>
>
>
> Is there anyway to generate a message authenticator for an accounting
> request packet. At the moment I am using JRadius, I need to send an
> accounting request message to another radius server. However after I
> add the message authenticator and send to to another server, the other
> server complains about "Invalid message authenticator" (Shared secret
> is incorrect).
>
>
>
> Here is some code :
>
> //Proxy request to the wap gateway
>
>
> DatagramSocket socket = new DatagramSocket();
>
>
> socket.setSoTimeout(5000);
>
> //Generate
> authenticator
>
>
> MessageDigest md5 = MessageDigest.getInstance("MD5");
>
>
> md5.reset();
>
>
md5.update((byte)req.getCode());
>
>
> md5.update((byte)req.getIdentifier());
>
> int length =
> req.getBytes().length;
>
> byte [] authenticator =
> req.getAuthenticator();
>
> byte [] attributeBytes =
> req.getAttributeBytes(req.getAttributes(),0);
>
> for (int z=0; z
> <authenticator.length ; z++ )
>
>
> RadiusLog.debug("Autenticator["+z+"] Before = " + authenticator[z]);
>
>
>
>
> RadiusLog.debug("Autenticator Length: " + authenticator.length);
>
>
RadiusLog.debug("Attributes
> Length: " + attributeBytes.length);
>
> RadiusLog.debug("Paket
> Length: " + length);
>
>
>
> String sharedSecret =
> "testing123";
>
> md5.update((byte)(length
>> 8));
>
> md5.update((byte)(length &
> 0xff));
>
> md5.update(authenticator,
0,
> authenticator.length);
>
> md5.update(attributeBytes,
> 0, attributeBytes.length);
>
>
> md5.update(sharedSecret.getBytes());
>
>
>
req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary
.MESSAGE_AUTHENTICATOR,
> authenticator));
>
>
>
>
> System.arraycopy(md5.digest(), 0, authenticator, 0, 16);
>
> "This e-mail is sent on the Terms and Conditions that can be accessed
by
> Clicking on this link http://www.vodacom.net/legal/email.aspx
> <http://www.vodacom.net/legal/email.asp> "
>
>
>
------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
------------------------------
Message: 2
Date: Wed, 28 Sep 2005 10:17:59 -0500
From: "Linda Pagillo" <linda at n2thenet.com>
Subject: Re: Questions about upgrading Freeradius
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID: <009301c5c43f$cffd60c0$2902a8c0 at com.tnaccess.com>
Content-Type: text/plain; charset="iso-8859-1"
Thanks for your reply. Is it really this much work to do a simple
upgrade?
Is there a shortcut?
----- Original Message -----
From: "Dusty Doris" <freeradius at mail.doris.cc>
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Sent: Wednesday, September 28, 2005 9:58 AM
Subject: Re: Questions about upgrading Freeradius
> On Wed, 28 Sep 2005, Linda Pagillo wrote:
>
> > Hi everyone:
> >
> > I have been using Freeradius v.0.9.3 for over a year and i wish to
> > upgrade to the latest version. Can anyone give me detailed
instructions
> > on how to do this? I use Freeradius in a prodcution enviroment and i
> > can't afford to mess it up. I'm running Linux RedHat 9. Do i just do
a
> > ./configure, make and make install like i did the first time? If
yes,
> > won't that overwrite all of my current config files? Thanks!
> >
>
> First, I would recommend setting up a lab machine (you can do it on
your
> workstation if you need to) to test that your configs work correctly
with
> the new version. Its probably backward compatible, but I wouldn't
just
> blindly upgrade on production and hope for the best.
>
> Then you could compile freeradius with --prefix. This will put all
> configurations, binaries, etc.. into a certain directory. For
example:
>
> ./configure --prefix=/usr/local/freeradius1.0.5
> make
> make install
>
> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and
change
> your files to make it work like it did in testing. Shutdown the
current
> radius version and start up the new one with
> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If
so,
> modify your startup scripts to point to the new version instead of the
> old.
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
------------------------------
Message: 3
Date: Wed, 28 Sep 2005 11:23:31 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Expose RADIUS packet's identifier
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050928152332.0133B16CC1 at mail.nitros9.org>
Josh Howlett <josh.howlett at bristol.ac.uk> wrote:
> Does anyone know if the server can expose a RADIUS packet's
identifier,
> for example through mod_exec? Or, is this limited to RADIUS attributes
only?
ATTRIBUTE Packet-Authentication-Vector 1088 octets
It *could* have been somewhere in the documentation, but...
Alan DeKok.
------------------------------
Message: 4
Date: Wed, 28 Sep 2005 12:08:13 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Questions about upgrading Freeradius
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050928160813.115C916CC1 at mail.nitros9.org>
"Linda Pagillo" <linda at n2thenet.com> wrote:
> Thanks for your reply. Is it really this much work to do a simple
upgrade?
> Is there a shortcut?
Not really. Doing the upgrade slowly is less work than doing it
quickly, and then having your RADIUS server down because you missed
something.
Alan DeKok.
------------------------------
Message: 5
Date: Wed, 28 Sep 2005 12:09:11 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Chap,LDAP and Passwords :)
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050928160911.41F2616CC1 at mail.nitros9.org>
liz <liz at unixgrrl.net> wrote:
> However, if I turn on CHAP based authentication I get a message from
> the radius server that USER-PASSWORD is a required attribute.
You set Auth-Type := LDAP. Don't do that. LDAP doesn't understand
CHAP.
> I am going to try another radius plugin I found today on
> sourcegforge to try and narrow it down.
That's not necessary.
Alan DeKok.
------------------------------
Message: 6
Date: Wed, 28 Sep 2005 12:12:56 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow
LDAP backend?
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050928161256.3095E16CC1 at mail.nitros9.org>
Martin Pauly <pauly at hrz.uni-marburg.de> wrote:
> We do have perfomance problems with our LDAP backend,
> so this sound reasonable, but could this cause the server to crash?
Yes. If all of the threads are blocked forever, waiting for the DB
to return data, then the queue of requests grows without bounds. At
some point, the server says "I'm not making progress, and I can't
recover from this", and kills itself.
Since the server is *already* effectively dead at that point, it
makes no difference to your network.
The solution is to fix the database so that it doesn't kill the
server.
Alan DeKok.
------------------------------
Message: 7
Date: Wed, 28 Sep 2005 12:14:05 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: EAP-TLS reject if CN not in MySQL
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050928161405.5BBA516E0B at mail.nitros9.org>
"Jonathan De Graeve" <Jonathan.De.Graeve at imelda.be> wrote:
> imply a group that changes the default ACTIONs to something like
>
> fail = 1
> everythingelse = return
>
> Tried in config:
>
> everythingelse = return
>
> radiusd.conf[1637] Unknown module rcode 'everythingelse'.
It was NOT meant to be taken literally.
> Any ideas?
Read doc/configurable_failover, and type in all the other return
codes by hand.
Alan DeKok.
------------------------------
Message: 8
Date: Wed, 28 Sep 2005 12:48:09 -0400 (EDT)
From: Dusty Doris <freeradius at mail.doris.cc>
Subject: Re: Questions about upgrading Freeradius
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050928124746.N93079 at mail.doris.name>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
You consider that much work? I wish I had your job!
:)
On Wed, 28 Sep 2005, Linda Pagillo wrote:
> Thanks for your reply. Is it really this much work to do a simple
upgrade?
> Is there a shortcut?
> ----- Original Message -----
> From: "Dusty Doris" <freeradius at mail.doris.cc>
> To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
> Sent: Wednesday, September 28, 2005 9:58 AM
> Subject: Re: Questions about upgrading Freeradius
>
>
>> On Wed, 28 Sep 2005, Linda Pagillo wrote:
>>
>>> Hi everyone:
>>>
>>> I have been using Freeradius v.0.9.3 for over a year and i wish to
>>> upgrade to the latest version. Can anyone give me detailed
instructions
>>> on how to do this? I use Freeradius in a prodcution enviroment and i
>>> can't afford to mess it up. I'm running Linux RedHat 9. Do i just do
a
>>> ./configure, make and make install like i did the first time? If
yes,
>>> won't that overwrite all of my current config files? Thanks!
>>>
>>
>> First, I would recommend setting up a lab machine (you can do it on
your
>> workstation if you need to) to test that your configs work correctly
with
>> the new version. Its probably backward compatible, but I wouldn't
just
>> blindly upgrade on production and hope for the best.
>>
>> Then you could compile freeradius with --prefix. This will put all
>> configurations, binaries, etc.. into a certain directory. For
example:
>>
>> ./configure --prefix=/usr/local/freeradius1.0.5
>> make
>> make install
>>
>> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and
change
>> your files to make it work like it did in testing. Shutdown the
current
>> radius version and start up the new one with
>> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working.
If so,
>> modify your startup scripts to point to the new version instead of
the
>> old.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
------------------------------
Message: 9
Date: Wed, 28 Sep 2005 11:58:04 -0500
From: "Linda Pagillo" <linda at n2thenet.com>
Subject: Re: Questions about upgrading Freeradius
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Message-ID: <00b901c5c44d$cb1f9e20$2902a8c0 at com.tnaccess.com>
Content-Type: text/plain; charset="iso-8859-1"
I wish you had my job too because i'm about fed up with this crap..
Anyway,
thanks for the reply, i'll do it.
----- Original Message -----
From: "Dusty Doris" <freeradius at mail.doris.cc>
To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
Sent: Wednesday, September 28, 2005 11:48 AM
Subject: Re: Questions about upgrading Freeradius
> You consider that much work? I wish I had your job!
>
> :)
>
> On Wed, 28 Sep 2005, Linda Pagillo wrote:
>
> > Thanks for your reply. Is it really this much work to do a simple
upgrade?
> > Is there a shortcut?
> > ----- Original Message -----
> > From: "Dusty Doris" <freeradius at mail.doris.cc>
> > To: "FreeRadius users mailing list"
<freeradius-users at lists.freeradius.org>
> > Sent: Wednesday, September 28, 2005 9:58 AM
> > Subject: Re: Questions about upgrading Freeradius
> >
> >
> >> On Wed, 28 Sep 2005, Linda Pagillo wrote:
> >>
> >>> Hi everyone:
> >>>
> >>> I have been using Freeradius v.0.9.3 for over a year and i wish to
> >>> upgrade to the latest version. Can anyone give me detailed
instructions
> >>> on how to do this? I use Freeradius in a prodcution enviroment and
i
> >>> can't afford to mess it up. I'm running Linux RedHat 9. Do i just
do a
> >>> ./configure, make and make install like i did the first time? If
yes,
> >>> won't that overwrite all of my current config files? Thanks!
> >>>
> >>
> >> First, I would recommend setting up a lab machine (you can do it on
your
> >> workstation if you need to) to test that your configs work
correctly
with
> >> the new version. Its probably backward compatible, but I wouldn't
just
> >> blindly upgrade on production and hope for the best.
> >>
> >> Then you could compile freeradius with --prefix. This will put all
> >> configurations, binaries, etc.. into a certain directory. For
example:
> >>
> >> ./configure --prefix=/usr/local/freeradius1.0.5
> >> make
> >> make install
> >>
> >> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and
change
> >> your files to make it work like it did in testing. Shutdown the
current
> >> radius version and start up the new one with
> >> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working.
If
so,
> >> modify your startup scripts to point to the new version instead of
the
> >> old.
> >>
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >>
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
------------------------------
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 5, Issue 91
***********************************************
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx "
More information about the Freeradius-Users
mailing list