Help: Does FreeRadius 1.1.3 support any encryption algorithm specified in RFC 2868.
Govardhana K N
govardhan.nagarajaiah at gmail.com
Mon Jul 16 10:47:54 CEST 2007
Alan,
I followed the following steps for configuring microsoft attributes and
other vendor attributes:
1. created and configured the vendor attributes (MN-HA-MIP4-KEY,
MN-HA-MIP4-SPI) in dictionary.wimax, with option "encrypt=2", the
values are getting encrypted.
2. Configured in file "users" to check for Nas-Identifier and Nas-Port-Type
and configured the attributes for access-accept as below:
--------------------------------------------------------------------------------------------------------------------------------------------------------------
govardhana Nas-Identifier == nas, Nas-Port-Type == 15
CUI = cui,
Class = class,
State = state,
Framed-MTU = 1400,
Framed-Ip-Address = 1.2.3.4,
Service-Type = Framed-User,
session-timeout = 30,
MS-MPPE-Send-Key = msk,
MS-MPPE-Recv-Key = recvmsk,
AAA-Session-Id = multisessionid,
HA-IP-MIP4 = 1.1.1.1,
Dhcpv4-Server = 2.2.2.2,
MN-HA-MIP4-KEY = mipkey,
MN-HA-MIP4-SPI = mipspi,
DHCP-RK = dhcprk,
DHCP-RK-KEY-ID = dhcpkey,
DHCP-RK-LIFETIME = 20
--------------------------------------------------------------------------------------------------------------------------------------------------------------
3. Below is the snapshot from client:
--------------------------------------------------------------------------------------------------------------------------------------------------------------
cheux301:/home/govardhana# radclient -x localhost auth jrcsecret <
access-request
Sending Access-Request of id 173 to 127.0.0.1 port 1812
User-Name = "govardhana"
User-Password = "govardhana"
NAS-Identifier = "nas"
NAS-Port-Type = Ethernet
CUI = "0"
Service-Type = Framed-User
Framed-MTU = 1400
Calling-Station-Id = "1:1:1:1:1:1"
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=173,
length=305
CUI = "cui"
Class = 0x6a7263636c617373
State = 0x6a72637374617465
Framed-MTU = 1400
Framed-IP-Address = 1.2.3.4
Service-Type = Framed-User
Session-Timeout = 30
MS-MPPE-Send-Key = 0x6a72636d736b
MS-MPPE-Recv-Key = 0x6a7263726563766d736b
AAA-Session-Id = "multisessionid"
HA-IP-MIP4 = "1.1.1.1"
DHCPv4-Server = "2.2.2.2"
MN-HA-MIP4-KEY =
"\225~\035\235\354\363\203\316Z\377\327\2174\360\330r\30"
MN-HA-MIP4-SPI = "\234V.\326\014_\363fn\253_K\355-([\326\020"
DHCP-RK = "dhcprk"
DHCP-RK-KEY-ID = "dhcpkey"
DHCP-RK_LIFETIME = "20"
--------------------------------------------------------------------------------------------------------------------------------------------------------------
5. Below is snap from Server
--------------------------------------------------------------------------------------------------------------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1:32813, id=173, length=92
User-Name = "govardhana"
User-Password = "govardhana"
NAS-Identifier = "jrcnas"
NAS-Port-Type = Ethernet
CUI = "0"
Service-Type = Framed-User
Framed-MTU = 1400
Calling-Station-Id = "1:1:1:1:1:1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "govardhana", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry govardhana at line 177
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
Login OK: [govardhana] (from client localhost port 0 cli 1:1:1:1:1:1)
Sending Access-Accept of id 173 to 127.0.0.1 port 32813
CUI = "jrccui"
Class = 0x6a7263636c617373
State = 0x6a72637374617465
Framed-MTU = 1400
Framed-IP-Address = 1.2.3.4
Service-Type = Framed-User
Session-Timeout = 30
WiMAX-Capability = "Accounting-Capability"
MS-MPPE-Send-Key = 0x6a72636d736b
MS-MPPE-Recv-Key = 0x6a7263726563766d736b
AAA-Session-Id = "jrcmultisessionid"
HA-IP-MIP4 = "1.1.1.1"
DHCPv4-Server = "2.2.2.2"
MN-HA-MIP4-KEY = "jrcmipkey"
MN-HA-MIP4-SPI = "jrcmipspi"
DHCP-RK = "jrcdhcprk"
DHCP-RK-KEY-ID = "jrcdhcpkey"
DHCP-RK-LIFETIME = "20"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 173 with timestamp 469b7797
Nothing to do. Sleeping until we see a request.
--------------------------------------------------------------------------------------------------------------------------
As I am new to Radius, based on the study I configured these parameters. Is
there any thing else need to be configured?
I also made sure that the option "encrypt=2" is present for Microsoft keys.
After studying man page for dictionary. I configured some attributes
(MN-HA-MIP4-KEY, MN-HA-MIP4-SPI) with "encrypt=2" option in the
corresponding dictionary file (dictinary.wimax). these attributes are
getting encrypted as you can see in debug log, but Microsoft keys are still
not encrypted.
Thanks & Regards,
Govardhana K N
On 7/16/07, Alan DeKok <aland at deployingradius.com> wrote:
>
> Govardhana K N wrote:
> > I need one more help, I tried to include microsoft attributes
> > (MS-MPPE-Send-Key, MS-MPPE-Recv-Key) for which the encryption type is
> > already set to 2, but the attribute values are not getting encrypted in
> > Access-Accept? how can i slove this problem?
>
> Post the debug log, as suggested in the FAQ, README, INSTALL, and many
> other places.
>
> Are you *sure* the attributes are not being encrypted? Or maybe it's
> just you're not familiar with the process?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
With Regards,
Govardhana K N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070716/f6394015/attachment.html>
More information about the Freeradius-Users
mailing list