Re: [RADIATOR] Authenticator check et calculation

Tue, 19 Mar 2019 23:43:50 -0700 

Hello Dubravko,

Sorry for the delay, I was out of office,

I have no error in the trace 5, the request is handled and the response sent , 
please see anonymized logs of a NOK accept : 

Thu Mar 14 14:43:13 2019: DEBUG: Packet dump:
*** Received from 100.X.X.X port 46830 ....

Packet length = 385
[...]

]Code:       Access-Request
Identifier: 111
Authentic:  <223>~<251>y+<135><209><199><11><235><10><22><16><241><22>n
Attributes:
        User-Name = "[email protected]"
        CHAP-Password = <1>w<233><31><139><191>
        CHAP-Challenge = <223>~<251>y+<135>><22><16><241><22>n
        NAS-Port = 42410
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "c0:67:af:bf:d6:20"
        NAS-Identifier = "92per1-r0b0"
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "slot=0;subslot=0;port=10;vlanid=1450"
        Acct-Session-Id = "92per1-190314134958a241754500114"
        Huawei-Startup-Stamp = 1342055654
        Huawei-IPHost-Addr = "255.255.255.255 c0:67:af:bf:d6:20"
        Huawei-Connect-ID = 114
        Huawei-Version = "Huawei SmartAX MA5200 Software Version 2.10 RELEASE 
7212"
        Huawei-Domain-Name = "l2tpmax"
        NAS-IP-Address = 84.96.Y.Y
        Proxy-State = OSC-Extended-Id=1135

Thu Mar 14 14:43:13 2019: DEBUG: Handling request with Handler 
'Realm="operateur.dop"', Identifier ''
Thu Mar 14 14:43:13 2019: DEBUG:  Deleting session for 
[email protected], 84.96.Y.Y, 42410
Thu Mar 14 14:43:13 2019: DEBUG: do query to 'dbi:mysql:radmin:RAD1-POP 
Connection id: 0-00000': 'delete from RADONLINE where NASIDENTIFIER='84.96.Y.Y' 
and NASPORT=042410': 
Thu Mar 14 14:43:13 2019: DEBUG: Handling with Radius::AuthRADMIN: MYSQL1
Thu Mar 14 14:43:13 2019: DEBUG: Handling with Radius::AuthRADMIN: MYSQL1
Thu Mar 14 14:43:13 2019: DEBUG: Query to 'dbi:mysql:radmin:RAD1-POP Connection 
id: 0-00000': 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, 
SERVICENAME, BADLOGINS, VALIDFROM, VALIDT
O from RADUSERS where USERNAME='[email protected]'': 
Thu Mar 14 14:43:13 2019: DEBUG: Query to 'dbi:mysql:radmin:RAD1-POP Connection 
id: 0-00000': 'select ATTR_ID, VENDOR_ID, IVALUE, SVALUE, ITEM_TYPE from 
RADCONFIG where NAME='Clt000778-001@o
peratel.dop' order by ITEM_TYPE': 
Thu Mar 14 14:43:13 2019: DEBUG: Radius::AuthRADMIN looks for match with 
[email protected] [[email protected]]
Thu Mar 14 14:43:13 2019: DEBUG: Query to 'dbi:mysql:radmin:RAD1-POP Connection 
id: 0-00000': 'select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS 
from RADONLINE where USERNAME='Cl
[email protected]'': 
Thu Mar 14 14:43:13 2019: DEBUG: ValidFrom date converted to: 1543916499
Thu Mar 14 14:43:13 2019: DEBUG: Expiration date converted to: 2147483647
Thu Mar 14 14:43:13 2019: DEBUG: do query to 'dbi:mysql:radmin:RAD1-POP 
Connection id: 0-00000': 'update RADUSERS set BADLOGINS=0 where 
USERNAME='[email protected]'': 
Thu Mar 14 14:43:13 2019: DEBUG: Radius::AuthRADMIN ACCEPT: : 
[email protected] [[email protected]]
Thu Mar 14 14:43:13 2019: DEBUG: AuthBy RADMIN result: ACCEPT, 
Thu Mar 14 14:43:13 2019: DEBUG: Access accepted for [email protected]
Thu Mar 14 14:43:13 2019: DEBUG: do query to 'dbi:mysql:radmin:RAD1-POP 
Connection id: 0-00000': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) 
values (1552570993, '[email protected]', 1)': 

Thu Mar 14 14:43:13 2019: DEBUG: Packet dump:
*** Sending to 100.X.X.X port 46830 ....

Packet length = 192
02 [...]
Code:       Access-Accept
Identifier: 111
Authentic:  <165><127><131>g0<244>m<169>=bj`<228><138><213>m
Attributes:
        Proxy-State = OSC-Extended-Id=1135
        Tunnel-Server-Endpoint = 1:62.39.X.X
        Tunnel-Assignment-ID = 1:62.39.X.X
        Framed-Protocol = PPP
        Tunnel-Medium-Type = 1:IP
        Service-Type = Framed-User
        Tunnel-Type = 1:L2TP
        Tunnel-Password = "1:password"
        Tunnel-Preference = 1:1
        Tunnel-Server-Endpoint = 2:62.39.X.X
        Tunnel-Assignment-ID = 2:62.39.X.X
        Tunnel-Medium-Type = 2:IP
        Tunnel-Type = 2:L2TP
        Tunnel-Password = "2:password"
        Tunnel-Preference = 2:2

The questions are :
1) Does radiator check authenticator in received request and based on which IP 
(header or other attribute)
2) Which IP is used to generate MD5 Hash of Authenticator to send responses.


Laurent DURU
Lugos, Expertise Réseaux, Métrologie & Sécurité
https://www.lugos.fr
M: +33 6 28 09 88 94
[email protected]
Adoptez l’éco-attitude.  N’imprimez ce mail que si c’est vraiment nécessaire.
 

On 11/03/2019 07:35, "Dubravko Penezic" <[email protected]> wrote:

    Hi Laurent,
    
    did you check what said RADIATOR when receive RADIUS request package ,
    first few line with Trace 5 ?
    
    Regards,
    Dubravko Penezic
    
    On 3/8/19 5:00 PM, Laurent Duru wrote:
    > Hi All,
    > 
    >  
    > 
    > We faced an issue with wrong authenticator on answers sent by Radiator.
    > 
    > In our design, client source IP is NATed, here is an example of
    > radius.cfg client configuration for discussion :
    > 
    >  
    > 
    > <Client REAL_CLIENT_IP >
    > 
    >         Secret azerty
    > 
    >         Identifier CLIENT
    > 
    > </Client>
    > 
    >  
    > 
    > <Client DEFAULT>
    > 
    >         Secret qwerty
    > 
    >         Identifier Default
    > 
    > </Client>
    > 
    >  
    > 
    > REAL_CLIENT_IP is NATed to NAT_CLIENT_IP
    > 
    >  
    > 
    > When receiving Access Request with authenticator from NAT_CLIENT_IP, our
    > radiator accepts the request and send an access-accept. That means the
    > authenticator check is OK and that the usage of the secret “azerty is
    > OK. I think radiator is checking client on NAS-IP-ADDRESS and not IP
    > header address.
    > 
    >  
    > 
    > When creating authenticator for the answer which IP is used ? and then
    > is it “azerty” or “qwerty” that is used as secret ?
    > 
    > To have a working config we had to add :
    > 
    > <Client NAT_CLIENT_IP>
    > 
    >         Secret azerty
    > 
    >         Identifier CLIENT
    > 
    > </Client>
    > 
    >  
    > 
    > Seems to mean radiator is using IP header address to calculate the
    > answer and not NAS-IP-ADDRESS.
    > 
    >  
    > 
    > Does anybody faced the same and can confirm ?
    > 
    >  
    > 
    > Have a nice week-end,
    > 
    >  
    > 
    > Regards,
    > 
    >  
    > 
    > *Laurent DURU*
    > 
    > *Lugos*, Expertise Réseaux, Métrologie & Sécurité
    > 
    > https://www.lugos.fr
    > 
    > M: +33 6 28 09 88 94
    > 
    > [email protected] <mailto:[email protected]>
    > 
    > Adoptez l’éco-attitude.  N’imprimez ce mail que si c’est vraiment
    > nécessaire.
    > 
    >  
    > 
    > 
    > _______________________________________________
    > radiator mailing list
    > [email protected]
    > https://lists.open.com.au/mailman/listinfo/radiator
    > 
    
    -- 
    Dubravko Penezic
    Sektor za posrednicke sustave i podatkovne usluge
    Sveuciliste u Zagrebu, Sveucilisni racunski centar (Srce),
    www.srce.unizg.hr
    [email protected], tel: +385 1 616 5555, fax: +385 1 616 5559
    

_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator

Reply via email to