Proxy Freeradius 3.0.11 remove Message-Authenticator
Hello, We would like to upgrade our proxy RADIUS solution from Freeradius 2.2.6 to Freeradius 3.0.11. We collect and switch PPP authentication/accounting requests to our different customers. One of them reject all authentication request if they are sent with < Message-Authenticator > attribute. We would like to upgrade without asking any changes to our clients. We configure the home_server with option "require_message_authenticator = no" in proxy.conf but < Message-Authenticator > attribute is still present in the proxy request. Alan DeKok said previously : "> I believe Message-Authenticator is now always sent in 3.0, unconditionally. Yes. It's best to always send it. It enables security and debugging checks that are otherwise not possible." Even if it's recommanded, is it possible to remove < Message-Authenticator > attribute in the proxy request ? Regards. Xavier -- Les donnees et renseignements contenus dans ce message sont personnels, confidentiels et secrets. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee. Si vous n'etes pas le bon destinataire, nous vous demandons de ne pas lire, copier, utiliser ou divulguer cette communication. Nous vous prions de notifier cette erreur a l'expediteur et d'effacer immediatement cette communication de votre systeme. Any data and information contained in this electronic mail is personal, confidential and secret. Any total or partial publication, use or distribution must be authorized. If you are not the right addressee, we ask you not to read, copy, use or disclose this communication. Please notify this error to the sender and erase at once this communication from your system.
On 8 Apr 2016, at 09:00, LABAT, Xavier <xavier.labat@axione.fr> wrote:
Hello,
We would like to upgrade our proxy RADIUS solution from Freeradius 2.2.6 to Freeradius 3.0.11. We collect and switch PPP authentication/accounting requests to our different customers. One of them reject all authentication request if they are sent with < Message-Authenticator > attribute. We would like to upgrade without asking any changes to our clients. We configure the home_server with option "require_message_authenticator = no" in proxy.conf but < Message-Authenticator > attribute is still present in the proxy request.
Alan DeKok said previously : "> I believe Message-Authenticator is now always sent in 3.0, unconditionally. Yes. It's best to always send it. It enables security and debugging checks that are otherwise not possible."
Even if it's recommanded, is it possible to remove < Message-Authenticator > attribute in the proxy request ?
You have access to the list of attributes used for the proxy request in the pre-proxy section. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Apr 8, 2016, at 9:00 AM, LABAT, Xavier <xavier.labat@axione.fr> wrote:
We would like to upgrade our proxy RADIUS solution from Freeradius 2.2.6 to Freeradius 3.0.11. We collect and switch PPP authentication/accounting requests to our different customers. One of them reject all authentication request if they are sent with < Message-Authenticator > attribute. We would like to upgrade without asking any changes to our clients.
Message-Authenticator was standardized in the year 2000. If the customers can't support that, they have serious problems. But I think I know who the customer is. And... they should upgrade to a modern RADIUS server.
We configure the home_server with option "require_message_authenticator = no" in proxy.conf but < Message-Authenticator > attribute is still present in the proxy request.
Yes. That option was removed in 3.0.
Even if it's recommanded, is it possible to remove < Message-Authenticator > attribute in the proxy request ?
That's what the pre-proxy section is for: pre-proxy { ... update proxy { Message-Authenticator !* ANY } ... } And tell the customer to upgrade to a RADIUS server which has been written in the last 20 years. Alan DeKok.
Thanks for your answers, it work perfectly like this : pre-proxy { update proxy-request { Message-Authenticator !* ANY } } That's what I tried but badly : pre-proxy { update request { Message-Authenticator -= "%{request:Message-Authenticator}" } Thanks for your help. Regards. Xavier -----Message d'origine----- De : Freeradius-Users [mailto:freeradius-users-bounces+xavier.labat=axione.fr@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 8 avril 2016 15:09 À : FreeRadius users mailing list Objet : Re: Proxy Freeradius 3.0.11 remove Message-Authenticator On Apr 8, 2016, at 9:00 AM, LABAT, Xavier <xavier.labat@axione.fr> wrote:
We would like to upgrade our proxy RADIUS solution from Freeradius 2.2.6 to Freeradius 3.0.11. We collect and switch PPP authentication/accounting requests to our different customers. One of them reject all authentication request if they are sent with < Message-Authenticator > attribute. We would like to upgrade without asking any changes to our clients.
Message-Authenticator was standardized in the year 2000. If the customers can't support that, they have serious problems. But I think I know who the customer is. And... they should upgrade to a modern RADIUS server.
We configure the home_server with option "require_message_authenticator = no" in proxy.conf but < Message-Authenticator > attribute is still present in the proxy request.
Yes. That option was removed in 3.0.
Even if it's recommanded, is it possible to remove < Message-Authenticator > attribute in the proxy request ?
That's what the pre-proxy section is for: pre-proxy { ... update proxy { Message-Authenticator !* ANY } ... } And tell the customer to upgrade to a RADIUS server which has been written in the last 20 years. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Les donnees et renseignements contenus dans ce message sont personnels, confidentiels et secrets. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee. Si vous n'etes pas le bon destinataire, nous vous demandons de ne pas lire, copier, utiliser ou divulguer cette communication. Nous vous prions de notifier cette erreur a l'expediteur et d'effacer immediatement cette communication de votre systeme. Any data and information contained in this electronic mail is personal, confidential and secret. Any total or partial publication, use or distribution must be authorized. If you are not the right addressee, we ask you not to read, copy, use or disclose this communication. Please notify this error to the sender and erase at once this communication from your system.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
LABAT, Xavier