Hi people. I'm posting this in case it can be useful to anybody that wants to do the same as me. At the moment is the only way I found to make FreeRADIUS to proxy packets to a Cisco Secure ACS. I know it's a dumb patch, it is simply an "if" wich ignores the check of attribute "Message-Authenticator" for Accounting-Response packets. Anyway I wanted to test it as far as I could. By now it was working from last Thursday up to now, and without problems. I hope some day an RFC arrives to bring light to de darkness of this attribute. I only want to clarify that this is not an specific issue that I came across. It's a gereric issue between FreeRADIUS and Cisco. This is the patch file I used in the radius.c code: # cat freeradius.patch diff -Naur freeradius-1.0.5-patched/src/lib/radius.c freeradius-1.0.5/src/lib/radius.c --- freeradius-1.0.5-patched/src/lib/radius.c 2005-09-16 09:39:53.345956517 -0300 +++ freeradius-1.0.5/src/lib/radius.c 2005-08-19 16:43:46.000000000 -0300 @@ -669,7 +669,7 @@ memset ((char *) &salocal, '\0', sizeof (salocal)); salocal.sin_family = AF_INET; salocal.sin_addr.s_addr = packet->src_ipaddr; - + return sendfromto(packet->sockfd, packet->data, (int)packet->data_len, 0, (struct sockaddr *)&salocal, sizeof(struct sockaddr_in), (struct sockaddr *)&saremote, sizeof(struct sockaddr_in)); @@ -1198,23 +1198,15 @@ break; } - /* Patch by Martin Arrieta and Paolo Rotela. - * Ignores Message-Authenticator in Accounting Response packets - * Because RFCs doesn't specify how to calculate it. - * It prevents Dropping packets when proxying Accounting-Requests - * to Cisco Secure ACS and possibily other implementations. - */ - if (packet->code != PW_ACCOUNTING_RESPONSE) { - lrad_hmac_md5(packet->data, packet->data_len, - secret, strlen(secret), calc_auth_vector); - if (memcmp(calc_auth_vector, msg_auth_vector, - sizeof(calc_auth_vector)) != 0) { - char buffer[32]; - librad_log("Received packet from %s with invalid Message-Authenticator! (Shared secret is incorrect.)", - ip_ntoa(buffer, packet->src_ipaddr)); - return -1; - } /* else the message authenticator was good */ - } + lrad_hmac_md5(packet->data, packet->data_len, + secret, strlen(secret), calc_auth_vector); + if (memcmp(calc_auth_vector, msg_auth_vector, + sizeof(calc_auth_vector)) != 0) { + char buffer[32]; + librad_log("Received packet from %s with invalid Message-Authenticator! (Shared secret is incorrect.)", + ip_ntoa(buffer, packet->src_ipaddr)); + return -1; + } /* else the message authenticator was good */ /* * Reinitialize Authenticators. ----- Original Message ----- From: "Thor Spruyt" <thor.spruyt@telenet.be> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Thursday, September 15, 2005 5:58 PM Subject: Re: FreeRadius Proxying and Message-Authenticator
Alan DeKok wrote:
"Paolo Rotela" <paolo.rotela@bluetelecom.com> wrote:
So you are implementing YOUR radius to support YOUR PROPOSED method... well it seems some propietary...
If one wants control over a project, one should start his own project.
It's clear to everybody that FreeRadius is widely used because it's strong and serves a general purpose (not to mention that it's free). So if one needs something specific to one's needs, one should contribute and hope that the project coordinators will see a general benefit.
Please do not reply... I just wanted to give Alan some credit, so that the FreeRadius project will continue to evolve like it has before.
-- Groeten, Regards, Salutations,
Thor Spruyt M: +32 (0)475 67 22 65 E: thor.spruyt@telenet.be W: www.thor-spruyt.com
www.salesguide.be www.telenethotspot.be
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html