FreeRadius Proxying and Message-Authenticator
Paolo Rotela
paolo.rotela at bluetelecom.com
Mon Sep 19 14:58:22 CEST 2005
Hi people. I'm posting this in case it can be useful to anybody that wants
to do the same as me.
At the moment is the only way I found to make FreeRADIUS to proxy packets to
a Cisco Secure ACS. I know it's a dumb patch, it is simply an "if" wich
ignores the check of attribute "Message-Authenticator" for
Accounting-Response packets. Anyway I wanted to test it as far as I could.
By now it was working from last Thursday up to now, and without problems.
I hope some day an RFC arrives to bring light to de darkness of this
attribute.
I only want to clarify that this is not an specific issue that I came
across. It's a gereric issue between FreeRADIUS and Cisco.
This is the patch file I used in the radius.c code:
# cat freeradius.patch
diff -Naur freeradius-1.0.5-patched/src/lib/radius.c
freeradius-1.0.5/src/lib/radius.c
--- freeradius-1.0.5-patched/src/lib/radius.c 2005-09-16
09:39:53.345956517 -0300
+++ freeradius-1.0.5/src/lib/radius.c 2005-08-19 16:43:46.000000000 -0300
@@ -669,7 +669,7 @@
memset ((char *) &salocal, '\0', sizeof (salocal));
salocal.sin_family = AF_INET;
salocal.sin_addr.s_addr = packet->src_ipaddr;
-
+
return sendfromto(packet->sockfd, packet->data,
(int)packet->data_len, 0,
(struct sockaddr *)&salocal,
sizeof(struct sockaddr_in),
(struct sockaddr *)&saremote,
sizeof(struct sockaddr_in));
@@ -1198,23 +1198,15 @@
break;
}
- /* Patch by Martin Arrieta and Paolo Rotela.
- * Ignores Message-Authenticator in Accounting
Response packets
- * Because RFCs doesn't specify how to calculate
it.
- * It prevents Dropping packets when proxying
Accounting-Requests
- * to Cisco Secure ACS and possibily other
implementations.
- */
- if (packet->code != PW_ACCOUNTING_RESPONSE) {
- lrad_hmac_md5(packet->data,
packet->data_len,
- secret, strlen(secret),
calc_auth_vector);
- if (memcmp(calc_auth_vector,
msg_auth_vector,
- sizeof(calc_auth_vector)) != 0)
{
- char buffer[32];
- librad_log("Received packet
from %s with invalid Message-Authenticator! (Shared secret is incorrect.)",
- ip_ntoa(buffer,
packet->src_ipaddr));
- return -1;
- } /* else the message authenticator was good
*/
- }
+ lrad_hmac_md5(packet->data, packet->data_len,
+ secret, strlen(secret),
calc_auth_vector);
+ if (memcmp(calc_auth_vector, msg_auth_vector,
+ sizeof(calc_auth_vector)) != 0) {
+ char buffer[32];
+ librad_log("Received packet from %s with
invalid Message-Authenticator! (Shared secret is incorrect.)",
+ ip_ntoa(buffer,
packet->src_ipaddr));
+ return -1;
+ } /* else the message authenticator was good */
/*
* Reinitialize Authenticators.
----- Original Message -----
From: "Thor Spruyt" <thor.spruyt at telenet.be>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, September 15, 2005 5:58 PM
Subject: Re: FreeRadius Proxying and Message-Authenticator
> Alan DeKok wrote:
>> "Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
>>> So you are implementing YOUR radius to support YOUR PROPOSED
>>> method... well it seems some propietary...
>
> If one wants control over a project, one should start his own project.
>
> It's clear to everybody that FreeRadius is widely used because it's strong
> and serves a general purpose (not to mention that it's free).
> So if one needs something specific to one's needs, one should contribute
> and
> hope that the project coordinators will see a general benefit.
>
> Please do not reply... I just wanted to give Alan some credit, so that the
> FreeRadius project will continue to evolve like it has before.
>
> --
> Groeten, Regards, Salutations,
>
> Thor Spruyt
> M: +32 (0)475 67 22 65
> E: thor.spruyt at telenet.be
> W: www.thor-spruyt.com
>
> www.salesguide.be
> www.telenethotspot.be
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list