Freeradius-Users Digest, Vol 50, Issue 18

Marco De Magistris marco.de.magistris at ericsson.com
Thu Jun 4 17:01:55 CEST 2009


Hi Nicolas,

>Be careful that using MD5 is not possible with all authenfication  
>methods:
>http://deployingradius.com/documents/protocols/compatibility.html
>(as you cannot uncrypt a hash)


I'm working on Radius Proxy.

The method used for Authentication is EAP-TLS. The server is configured with a certificate for EAP-TLS.

As Radius Proxy, I need to send the packet, received from Radius Client, towards Radius Server, with a Message-Authenticator (HMAC-MD5).

Home_server function:

  home_server SERVER1 {
     ...
     require_message_authenticator = yes 
     secret = <Shared Secret assigned to RAdiusServer>
     ...
  }

As Radius Proxy, should I define an authentication protocols? 


Thanks
Regards

   Marco



-----Original Message-----
From: freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org [mailto:freeradius-users-bounces+marco.de.magistris=ericsson.com at lists.freeradius.org] On Behalf Of freeradius-users-request at lists.freeradius.org
Sent: giovedì 4 giugno 2009 13.55
To: freeradius-users at lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 50, Issue 18

Send Freeradius-Users mailing list submissions to
	freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
	freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
	freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

   1. Re: dealing with 'corrupt' detail file (Arran Cudbard-Bell)
   2. How use tagged atrributes? (R.Filatov at ttk.ru)
   3. help HMAC-MD5  (Marco De Magistris)
   4. Re: help HMAC-MD5  (Nicolas Goutte)


----------------------------------------------------------------------

Message: 1
Date: Thu, 04 Jun 2009 11:34:59 +0100
From: Arran Cudbard-Bell <a.cudbard-bell at sussex.ac.uk>
Subject: Re: dealing with 'corrupt' detail file
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <4A27A353.3050306 at sussex.ac.uk>
Content-Type: text/plain; charset=UTF-8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
>>> (I've already got, on my list, use Calling-Station-Id
>>> instead of NAS-Port for the unique function as many
>>> NAS use the same port for every accounting packet :-|)
>>   Create a patch, and send it to the list via git format-patch.  "Best
>> practices" really need to go into the server configuration.  Anything
>> else is too frustrating for the end users.
>
> I was hoping to get a small discussion initiated that would
> hopefully bring up a few things that people find they have to do
> to their configs ...at the end of which we get a nice comprehensive
> list of updates needed for the core server configuration (and hopefully
> a large number of 'you need to change this or add that' blog/wiki/random
> document entries removed across the world)
We write out a different detail file per hour. If for whatever reason
the account buffer gets to be big, and you have to restart the server,
at least you only have to deal with an hours worth of duplicate
accounting logs.

And just as Alan DeKok suggested:

accounting {
        #
        #  Log traffic to an SQL database.
        #
        #  See "Accounting queries" in sql.conf
        sql {
            invalid = 2
        }
        if (invalid) {
            ok
        }
}

You can log it to a rejects detail file as well, if you want to dissect
the packets later.

The other (far more difficult) to handle one, is where you're using this
to Proxy eduroam Accounting records back to an ORPS.

If the administrator of the ORPS has been particularly... obnoxious.
Then the ORPS will not send Accounting-Responses, and the packet will be
stuck in the detail file indefinitely.

Our workaround is:

    accounting {
        #
        # Icky workaround for lack of universal eduroam accounting support
        # Really need NRPS to manufacture accounting response.
        #
        if((Acct-Delay-Time < 600) || (Realm != 'remote.jrs')){
                proxy_to_realm
        }

        #
        # Since we're proxying, we don't log anything
        # locally.  Ensure that the accounting section
        # "succeeds" by forcing an "ok" return.
        ok 
    }

This sucks, because perfectly valid Accounting Requests might be lost if
they were received at around the same time as invalid ones.

I'd be interested to hear if anyone has a better solution than the above.

Thanks,
Arran
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkono1MACgkQcaklux5oVKKh8ACdHgDLbeRIF6wpJY9boGATfybU
AiUAoIsSVWWYt6LUETZ6Ky15Out8Fm+w
=cShM
-----END PGP SIGNATURE-----



------------------------------

Message: 2
Date: Thu, 4 Jun 2009 15:39:12 +0400
From: R.Filatov at ttk.ru
Subject: How use tagged atrributes?
To: <freeradius-users at lists.freeradius.org>
Message-ID:
	<OF1C050F6B.AF15FFDD-ONC32575CB.003FFB82-C32575CB.004003A7 at ttk.ru>
Content-Type: text/plain; charset="us-ascii"

Hello! 

This construction don't work 

# radiusd -X 
FreeRADIUS Version 2.1.6, for host x86_64-unknown-linux-gnu, built on Jun 
2 2009 at 23:23:03
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf

.....

 attr_rewrite add.service-volume {
        attribute = "ERX-Service-Volume:1"
        searchfor = ""
        searchin = "packet"
        replacewith = "1000"
        append = no
        ignore_case = yes
        new_attribute = no
        max_matches = 1
  }
rlm_attr_rewrite: No such attribute ERX-Service-Volume:1
/usr/local/etc/raddb/modules/attr_rewrite[48]: Instantiation failed for 
module "add.service-volume"
/usr/local/etc/raddb/sites-enabled/default[482]: Failed to find module 
"add.service-volume".
/usr/local/etc/raddb/sites-enabled/default[480]: Errors parsing pre-proxy 
section.
Errors initializing modules

May be trouble in my /dev/hands? 

Best Regards
Filatov Ruslan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090604/465df12d/attachment.html>

------------------------------

Message: 3
Date: Thu, 4 Jun 2009 13:39:09 +0200
From: "Marco De Magistris" <marco.de.magistris at ericsson.com>
Subject: help HMAC-MD5 
To: <freeradius-users at lists.freeradius.org>
Message-ID:
	<6C96BFCE9C38AE4DB3C143FA3228C444015FCCF7 at eitrmmw020.eemea.ericsson.se>
	
Content-Type: text/plain; charset="us-ascii"

Hi all,

 

Sorry, but I'm confused about HMAC-MD5 method.

I'm working on Radius Proxy Implementation.

 

 

The scenario is the following

 

RADIUS Client -> Radius Proxy -> Radius Server.

 

 

Radius Client sends a Radius Packet towards Radius Proxy
(Message-Authenticator not used).

 

Radius Proxy sends the Radius Packet towards Radius Server using
HMAC-MD5 method. How to configure RADIUS Proxy? Should I add
MD5-Password Attribute? MD5-Password is identical to Shared Secret
between Radius Proxy and Radius Server? 

 

Thanks in advance

      Marco

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090604/2964e63f/attachment.html>

------------------------------

Message: 4
Date: Thu, 4 Jun 2009 13:54:33 +0200
From: Nicolas Goutte <nicolas.goutte at extragroup.de>
Subject: Re: help HMAC-MD5 
To: FreeRadius users mailing list
	<freeradius-users at lists.freeradius.org>
Message-ID: <F3A7C067-E467-43AF-BEEA-B24242950B23 at extragroup.de>
Content-Type: text/plain; charset="windows-1252"; Format="flowed";
	DelSp="yes"


Am 04.06.2009 um 13:39 schrieb Marco De Magistris:

> Hi all,
>
> Sorry, but I?m confused about HMAC-MD5 method.
> I?m working on Radius Proxy Implementation.
>
>
> The scenario is the following
>
> RADIUS Client -> Radius Proxy -> Radius Server.
>
>
> Radius Client sends a Radius Packet towards Radius Proxy (Message- 
> Authenticator not used).
>
> Radius Proxy sends the Radius Packet towards Radius Server using  
> HMAC-MD5 method. How to configure RADIUS Proxy? Should I add MD5- 
> Password Attribute? MD5-Password is identical to Shared Secret  
> between Radius Proxy and Radius Server?

Be careful that using MD5 is not possible with all authenfication  
methods:
http://deployingradius.com/documents/protocols/compatibility.html
(as you cannot uncrypt a hash)


>
> Thanks in advance
>       Marco
>
>
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Gesch?ftsf?hrer: Stephan M?nninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht M?nster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090604/b6d2e4d5/attachment.html>

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 50, Issue 18
************************************************




More information about the Freeradius-Users mailing list