If the message authenticator is all zeros, then I can send a request from one freeradius server to another with out any problems. The problem is when I user Radiator with freeradius sending accounting messages to it, it complains about Authentication failure. So I assumed that Radiator does not like a blank MA. Hence I tried to produce one and add it to the accounting packet before sending it to Radiator. However it still fails.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 28 September 2005 07:06 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 5, Issue 91 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: AccountingReq message authenticator (Michael Lecuyer) 2. Re: Questions about upgrading Freeradius (Linda Pagillo) 3. Re: Expose RADIUS packet's identifier (Alan DeKok) 4. Re: Questions about upgrading Freeradius (Alan DeKok) 5. Re: Chap,LDAP and Passwords :) (Alan DeKok) 6. Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow LDAP backend? (Alan DeKok) 7. Re: EAP-TLS reject if CN not in MySQL (Alan DeKok) 8. Re: Questions about upgrading Freeradius (Dusty Doris) 9. Re: Questions about upgrading Freeradius (Linda Pagillo) ---------------------------------------------------------------------- Message: 1 Date: Wed, 28 Sep 2005 10:48:42 -0400 From: Michael Lecuyer <[EMAIL PROTECTED]> Subject: Re: AccountingReq message authenticator To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=windows-1252; format=flowed There is no way to generate a message authenticator in an Accounting-Request packet the usual way it's generated for an Access-Request. The accounting packet is signed by the client therefore there cannot be two signatures created for the entire the packet. By the very nature of creating signature the second signature will alter the packet's contents invalidating the first signature. The Message-Authenticator can be only one of two things. Either it's calculated as a hash of the attributes or it's a random number (like the Access-Request authenticator). From your information I suspect it's the former. You might try using the traditional MA calculation for the MA on just the attributes with an empty (zeroed) MA present and back patch the MA. If this works please let me know. Or, if someone has accounting packets generated with proper MA's please send them to me and I'll try some standard hashes. The MA is traditionally created as an MD5-HMAC of the shared secret and the entire packet's contents with an empty (16 byte) Message-Authenticator. For an accounting packet MA use just the attribute block instead of the entire packet try just the attributes with the empty MA. Ashwin Gobind wrote: > Hi. > > > > Is there anyway to generate a message authenticator for an accounting > request packet. At the moment I am using JRadius, I need to send an > accounting request message to another radius server. However after I > add the message authenticator and send to to another server, the other > server complains about "Invalid message authenticator" (Shared secret > is incorrect). > > > > Here is some code : > > //Proxy request to the wap gateway > > > DatagramSocket socket = new DatagramSocket(); > > > socket.setSoTimeout(5000); > > //Generate > authenticator > > > MessageDigest md5 = MessageDigest.getInstance("MD5"); > > > md5.reset(); > > md5.update((byte)req.getCode()); > > > md5.update((byte)req.getIdentifier()); > > int length = > req.getBytes().length; > > byte [] authenticator = > req.getAuthenticator(); > > byte [] attributeBytes = > req.getAttributeBytes(req.getAttributes(),0); > > for (int z=0; z > <authenticator.length ; z++ ) > > > RadiusLog.debug("Autenticator["+z+"] Before = " + authenticator[z]); > > > > > RadiusLog.debug("Autenticator Length: " + authenticator.length); > > RadiusLog.debug("Attributes > Length: " + attributeBytes.length); > > RadiusLog.debug("Paket > Length: " + length); > > > > String sharedSecret = > "testing123"; > > md5.update((byte)(length >> 8)); > > md5.update((byte)(length & > 0xff)); > > md5.update(authenticator, 0, > authenticator.length); > > md5.update(attributeBytes, > 0, attributeBytes.length); > > > md5.update(sharedSecret.getBytes()); > > > req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary .MESSAGE_AUTHENTICATOR, > authenticator)); > > > > > System.arraycopy(md5.digest(), 0, authenticator, 0, 16); > > "This e-mail is sent on the Terms and Conditions that can be accessed by > Clicking on this link http://www.vodacom.net/legal/email.aspx > <http://www.vodacom.net/legal/email.asp> " > > > ------------------------------------------------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ------------------------------ Message: 2 Date: Wed, 28 Sep 2005 10:17:59 -0500 From: "Linda Pagillo" <[EMAIL PROTECTED]> Subject: Re: Questions about upgrading Freeradius To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Thanks for your reply. Is it really this much work to do a simple upgrade? Is there a shortcut? ----- Original Message ----- From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 28, 2005 9:58 AM Subject: Re: Questions about upgrading Freeradius > On Wed, 28 Sep 2005, Linda Pagillo wrote: > > > Hi everyone: > > > > I have been using Freeradius v.0.9.3 for over a year and i wish to > > upgrade to the latest version. Can anyone give me detailed instructions > > on how to do this? I use Freeradius in a prodcution enviroment and i > > can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a > > ./configure, make and make install like i did the first time? If yes, > > won't that overwrite all of my current config files? Thanks! > > > > First, I would recommend setting up a lab machine (you can do it on your > workstation if you need to) to test that your configs work correctly with > the new version. Its probably backward compatible, but I wouldn't just > blindly upgrade on production and hope for the best. > > Then you could compile freeradius with --prefix. This will put all > configurations, binaries, etc.. into a certain directory. For example: > > ./configure --prefix=/usr/local/freeradius1.0.5 > make > make install > > When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change > your files to make it work like it did in testing. Shutdown the current > radius version and start up the new one with > /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, > modify your startup scripts to point to the new version instead of the > old. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ------------------------------ Message: 3 Date: Wed, 28 Sep 2005 11:23:31 -0400 From: "Alan DeKok" <[EMAIL PROTECTED]> Subject: Re: Expose RADIUS packet's identifier To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Josh Howlett <[EMAIL PROTECTED]> wrote: > Does anyone know if the server can expose a RADIUS packet's identifier, > for example through mod_exec? Or, is this limited to RADIUS attributes only? ATTRIBUTE Packet-Authentication-Vector 1088 octets It *could* have been somewhere in the documentation, but... Alan DeKok. ------------------------------ Message: 4 Date: Wed, 28 Sep 2005 12:08:13 -0400 From: "Alan DeKok" <[EMAIL PROTECTED]> Subject: Re: Questions about upgrading Freeradius To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> "Linda Pagillo" <[EMAIL PROTECTED]> wrote: > Thanks for your reply. Is it really this much work to do a simple upgrade? > Is there a shortcut? Not really. Doing the upgrade slowly is less work than doing it quickly, and then having your RADIUS server down because you missed something. Alan DeKok. ------------------------------ Message: 5 Date: Wed, 28 Sep 2005 12:09:11 -0400 From: "Alan DeKok" <[EMAIL PROTECTED]> Subject: Re: Chap,LDAP and Passwords :) To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> liz <[EMAIL PROTECTED]> wrote: > However, if I turn on CHAP based authentication I get a message from > the radius server that USER-PASSWORD is a required attribute. You set Auth-Type := LDAP. Don't do that. LDAP doesn't understand CHAP. > I am going to try another radius plugin I found today on > sourcegforge to try and narrow it down. That's not necessary. Alan DeKok. ------------------------------ Message: 6 Date: Wed, 28 Sep 2005 12:12:56 -0400 From: "Alan DeKok" <[EMAIL PROTECTED]> Subject: Re: Crashes with 1.0.4/1.0.5, perhaps connected with slow LDAP backend? To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Martin Pauly <[EMAIL PROTECTED]> wrote: > We do have perfomance problems with our LDAP backend, > so this sound reasonable, but could this cause the server to crash? Yes. If all of the threads are blocked forever, waiting for the DB to return data, then the queue of requests grows without bounds. At some point, the server says "I'm not making progress, and I can't recover from this", and kills itself. Since the server is *already* effectively dead at that point, it makes no difference to your network. The solution is to fix the database so that it doesn't kill the server. Alan DeKok. ------------------------------ Message: 7 Date: Wed, 28 Sep 2005 12:14:05 -0400 From: "Alan DeKok" <[EMAIL PROTECTED]> Subject: Re: EAP-TLS reject if CN not in MySQL To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> "Jonathan De Graeve" <[EMAIL PROTECTED]> wrote: > imply a group that changes the default ACTIONs to something like > > fail = 1 > everythingelse = return > > Tried in config: > > everythingelse = return > > radiusd.conf[1637] Unknown module rcode 'everythingelse'. It was NOT meant to be taken literally. > Any ideas? Read doc/configurable_failover, and type in all the other return codes by hand. Alan DeKok. ------------------------------ Message: 8 Date: Wed, 28 Sep 2005 12:48:09 -0400 (EDT) From: Dusty Doris <[EMAIL PROTECTED]> Subject: Re: Questions about upgrading Freeradius To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed You consider that much work? I wish I had your job! :) On Wed, 28 Sep 2005, Linda Pagillo wrote: > Thanks for your reply. Is it really this much work to do a simple upgrade? > Is there a shortcut? > ----- Original Message ----- > From: "Dusty Doris" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> > Sent: Wednesday, September 28, 2005 9:58 AM > Subject: Re: Questions about upgrading Freeradius > > >> On Wed, 28 Sep 2005, Linda Pagillo wrote: >> >>> Hi everyone: >>> >>> I have been using Freeradius v.0.9.3 for over a year and i wish to >>> upgrade to the latest version. Can anyone give me detailed instructions >>> on how to do this? I use Freeradius in a prodcution enviroment and i >>> can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a >>> ./configure, make and make install like i did the first time? If yes, >>> won't that overwrite all of my current config files? Thanks! >>> >> >> First, I would recommend setting up a lab machine (you can do it on your >> workstation if you need to) to test that your configs work correctly with >> the new version. Its probably backward compatible, but I wouldn't just >> blindly upgrade on production and hope for the best. >> >> Then you could compile freeradius with --prefix. This will put all >> configurations, binaries, etc.. into a certain directory. For example: >> >> ./configure --prefix=/usr/local/freeradius1.0.5 >> make >> make install >> >> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change >> your files to make it work like it did in testing. Shutdown the current >> radius version and start up the new one with >> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, >> modify your startup scripts to point to the new version instead of the >> old. >> >> >> - >> List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >> > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ------------------------------ Message: 9 Date: Wed, 28 Sep 2005 11:58:04 -0500 From: "Linda Pagillo" <[EMAIL PROTECTED]> Subject: Re: Questions about upgrading Freeradius To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" I wish you had my job too because i'm about fed up with this crap.. Anyway, thanks for the reply, i'll do it. ----- Original Message ----- From: "Dusty Doris" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Sent: Wednesday, September 28, 2005 11:48 AM Subject: Re: Questions about upgrading Freeradius > You consider that much work? I wish I had your job! > > :) > > On Wed, 28 Sep 2005, Linda Pagillo wrote: > > > Thanks for your reply. Is it really this much work to do a simple upgrade? > > Is there a shortcut? > > ----- Original Message ----- > > From: "Dusty Doris" <[EMAIL PROTECTED]> > > To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> > > Sent: Wednesday, September 28, 2005 9:58 AM > > Subject: Re: Questions about upgrading Freeradius > > > > > >> On Wed, 28 Sep 2005, Linda Pagillo wrote: > >> > >>> Hi everyone: > >>> > >>> I have been using Freeradius v.0.9.3 for over a year and i wish to > >>> upgrade to the latest version. Can anyone give me detailed instructions > >>> on how to do this? I use Freeradius in a prodcution enviroment and i > >>> can't afford to mess it up. I'm running Linux RedHat 9. Do i just do a > >>> ./configure, make and make install like i did the first time? If yes, > >>> won't that overwrite all of my current config files? Thanks! > >>> > >> > >> First, I would recommend setting up a lab machine (you can do it on your > >> workstation if you need to) to test that your configs work correctly with > >> the new version. Its probably backward compatible, but I wouldn't just > >> blindly upgrade on production and hope for the best. > >> > >> Then you could compile freeradius with --prefix. This will put all > >> configurations, binaries, etc.. into a certain directory. For example: > >> > >> ./configure --prefix=/usr/local/freeradius1.0.5 > >> make > >> make install > >> > >> When that's done, cd to /usr/local/freeradius1.0.5/etc/raddb and change > >> your files to make it work like it did in testing. Shutdown the current > >> radius version and start up the new one with > >> /usr/local/freeradius1.0.5/sbin/radiusd -X and see if its working. If so, > >> modify your startup scripts to point to the new version instead of the > >> old. > >> > >> > >> - > >> List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > >> > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 5, Issue 91 *********************************************** “This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx " - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html