There is no "Calling-Station-Id" attribute in access-requests sent in response to radius challenge from pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5)

Dmitry Saratsky simpot at simpot.com
Mon Sep 1 12:49:37 CEST 2014


Hi Axel,

Thank you for update!

> According to RFC 2865, an Access-Request packet MUST come with either a Calling-Station-Id or a NAS-Identifier AVP.
> So, if you don't have one, perhaps could you achieve something with the other one (if present, of course)?

NAS-Identifier attribute is sent on both access-requests, but is helpless for me, bcz I can't update it dynamically on linux machine...
I'm developing the feature, that will reject user authentication for user+nas_ip+calling-station-id if in log it more than X failed login within last Y minutes from the user. Now this feature is working, but it rejects requestes based on user+nas_ip only, bcz calling_station_id is blank ((((

> Looks more to be a "RADIUS_CLIENT" issue.

Yeah, I already reported new issue on github to pam_radius developers, but I afraid they will ignore it, just because NAS-Identifier is sent in both requests(((

> Could you post an example of a (first Access-Request, second Access-Request) pair sent by that "RADIUS_CLIENT"?
Sure, here is the output:
1st Access-Request:
rad_recv: Access-Request packet from host 192.168.64.11 port 17193, id=5, length=98
        User-Name = "username"
        User-Password = "some password"
        NAS-IP-Address = 192.168.64.11
        NAS-Identifier = "sshd"
        NAS-Port = 16168
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "192.168.65.20"

Sending Access-Challenge of id 5 to 192.168.64.11 port 17193
        Reply-Message = "OTP code: "
        State = 0x33643539623066642d333162662d313165342d393939332d353235343030613964313334

2nd Access-Request:
rad_recv: Access-Request packet from host 192.168.64.11 port 17193, id=6, length=108
        User-Name = "username"
        User-Password = "736396"
        NAS-IP-Address = 192.168.64.11
        NAS-Identifier = "sshd"
        NAS-Port = 16168
        NAS-Port-Type = Virtual
        State = 0x33643539623066642d333162662d313165342d393939332d353235343030613964313334


BR,
Dmitry.

-----Original Message-----
From: freeradius-users-bounces+simpot=simpot.com at lists.freeradius.org [mailto:freeradius-users-bounces+simpot=simpot.com at lists.freeradius.org] On Behalf Of Axel Luttgens
Sent: 01 Sep 2014 11:52
To: FreeRadius users mailing list
Subject: Re: There is no "Calling-Station-Id" attribute in access-requests sent in response to radius challenge from pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5)

Le 31 août 2014 à 23:21, Dmitry Saratsky a écrit :

> Hi all,
> 
> I'm using freeradius for custom 2-factor OTP authentication as below:
> RADIUS_CLIENT > Access-Request(User/Pass) > FreeRADIUS(check user pass 
> and if ok -> generates state) > Access-Challenge > RADIUS_CLIENT> 
> Access-Request(User/OTP/state) > FreeRADIUS
> 
> In first Access-Request (before Access-Challenge) RADIUS_CLIENT is 
> sending all required attributes well My problem is on the second Access-Request (after Access-Challenge). There is no "Calling-Station-Id" attribute on this state for some reason...
> I have checked this on the following radius client: 
> pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5)

Hello Dmitri,

According to RFC 2865, an Access-Request packet MUST come with either a Calling-Station-Id or a NAS-Identifier AVP.
So, if you don't have one, perhaps could you achieve something with the other one (if present, of course)?


> Anyone can suggest some work around for above? Maybe it is configuration issue I'm missing?

Looks more to be a "RADIUS_CLIENT" issue.
Could you post an example of a (first Access-Request, second Access-Request) pair sent by that "RADIUS_CLIENT"?

Axel


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list