There is no "Calling-Station-Id" attribute in access-requests sent in response to radius challenge from pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5)
Dmitry Saratsky
simpot at simpot.com
Mon Sep 1 12:49:37 CEST 2014
Hi Axel,
Thank you for update!
> According to RFC 2865, an Access-Request packet MUST come with either a Calling-Station-Id or a NAS-Identifier AVP.
> So, if you don't have one, perhaps could you achieve something with the other one (if present, of course)?
NAS-Identifier attribute is sent on both access-requests, but is helpless for me, bcz I can't update it dynamically on linux machine...
I'm developing the feature, that will reject user authentication for user+nas_ip+calling-station-id if in log it more than X failed login within last Y minutes from the user. Now this feature is working, but it rejects requestes based on user+nas_ip only, bcz calling_station_id is blank ((((
> Looks more to be a "RADIUS_CLIENT" issue.
Yeah, I already reported new issue on github to pam_radius developers, but I afraid they will ignore it, just because NAS-Identifier is sent in both requests(((
> Could you post an example of a (first Access-Request, second Access-Request) pair sent by that "RADIUS_CLIENT"?
Sure, here is the output:
1st Access-Request:
rad_recv: Access-Request packet from host 192.168.64.11 port 17193, id=5, length=98
User-Name = "username"
User-Password = "some password"
NAS-IP-Address = 192.168.64.11
NAS-Identifier = "sshd"
NAS-Port = 16168
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.65.20"
Sending Access-Challenge of id 5 to 192.168.64.11 port 17193
Reply-Message = "OTP code: "
State = 0x33643539623066642d333162662d313165342d393939332d353235343030613964313334
2nd Access-Request:
rad_recv: Access-Request packet from host 192.168.64.11 port 17193, id=6, length=108
User-Name = "username"
User-Password = "736396"
NAS-IP-Address = 192.168.64.11
NAS-Identifier = "sshd"
NAS-Port = 16168
NAS-Port-Type = Virtual
State = 0x33643539623066642d333162662d313165342d393939332d353235343030613964313334
BR,
Dmitry.
-----Original Message-----
From: freeradius-users-bounces+simpot=simpot.com at lists.freeradius.org [mailto:freeradius-users-bounces+simpot=simpot.com at lists.freeradius.org] On Behalf Of Axel Luttgens
Sent: 01 Sep 2014 11:52
To: FreeRadius users mailing list
Subject: Re: There is no "Calling-Station-Id" attribute in access-requests sent in response to radius challenge from pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5)
Le 31 août 2014 à 23:21, Dmitry Saratsky a écrit :
> Hi all,
>
> I'm using freeradius for custom 2-factor OTP authentication as below:
> RADIUS_CLIENT > Access-Request(User/Pass) > FreeRADIUS(check user pass
> and if ok -> generates state) > Access-Challenge > RADIUS_CLIENT>
> Access-Request(User/OTP/state) > FreeRADIUS
>
> In first Access-Request (before Access-Challenge) RADIUS_CLIENT is
> sending all required attributes well My problem is on the second Access-Request (after Access-Challenge). There is no "Calling-Station-Id" attribute on this state for some reason...
> I have checked this on the following radius client:
> pam_radius-1.3.17-2.el6.x86_64 (CentOS release 6.5)
Hello Dmitri,
According to RFC 2865, an Access-Request packet MUST come with either a Calling-Station-Id or a NAS-Identifier AVP.
So, if you don't have one, perhaps could you achieve something with the other one (if present, of course)?
> Anyone can suggest some work around for above? Maybe it is configuration issue I'm missing?
Looks more to be a "RADIUS_CLIENT" issue.
Could you post an example of a (first Access-Request, second Access-Request) pair sent by that "RADIUS_CLIENT"?
Axel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list