Voip database

Fajar A. Nugraha work at fajar.net
Tue Jan 4 09:41:59 CET 2011


On Tue, Jan 4, 2011 at 2:40 PM, miha- <miha_zoubek at hotmail.com> wrote:
> Currently, there is a password matching issue because the User-Password
> encoding is different during the Authentication from the Authorization.
> During the Authentication step, the Centile's radius client send a
> User-Password encrypted with the secret.
> But during the Authorization step, we don't expect the Radius server to
> check again this password (which is sent anyway, I don't know if this is a
> bug or if it is required by Eyebill...).

So they deliberately do NOT encrypt password with the secret? That's
just silly. They need to fix it.

> The Authorization request contains the attribute Acct-Status-Type with the
> value 17 that means "authorize only".

Shouldn't it be RADIUS Attribute 6, Service-Type?
http://www.ietf.org/assignments/radius-types/radius-types.xml

> It also contains the attribute Message-Authenticator with the digest value.
> So Freeradius should use those two attributes to accept or reject the
> request instead of the User-Name and User-Password.

If only "pap" is involved (which, from your debug log seems to be the
case), you might be able to play with unlang and set Auth-Type :=
Accept for certain conditions (e.g. check whether
Message-Authenticator exists, and whether it matches a certain value).
http://wiki.freeradius.org/index.php/FAQ#How_do_I_permit_access_to_any_user_regardless_of_password.3F
http://freeradius.org/radiusd/man/unlang.html

-- 
Fajar



More information about the Freeradius-Users mailing list