On 20/03/2019 8.43, Laurent Duru wrote:
Thu Mar 14 14:43:13 2019: DEBUG: Packet dump: *** Sending to 100.X.X.X port 46830 ....Packet length = 192 02 [...] Code: Access-Accept Identifier: 111 Authentic: <165><127><131>g0<244>m<169>=bj`<228><138><213>m Attributes: Proxy-State = OSC-Extended-Id=1135 Tunnel-Server-Endpoint = 1:62.39.X.X Tunnel-Assignment-ID = 1:62.39.X.X Framed-Protocol = PPP Tunnel-Medium-Type = 1:IP Service-Type = Framed-User Tunnel-Type = 1:L2TP Tunnel-Password = "1:password" Tunnel-Preference = 1:1 Tunnel-Server-Endpoint = 2:62.39.X.X Tunnel-Assignment-ID = 2:62.39.X.X Tunnel-Medium-Type = 2:IP Tunnel-Type = 2:L2TP Tunnel-Password = "2:password" Tunnel-Preference = 2:2 The questions are : 1) Does radiator check authenticator in received request and based on which IP (header or other attribute)
It does not check authenticator, that is 'Authentic: ...' field in the request. If there was a Message-Authenticator attribute, that would be checked. In Access-Request the Authenticator goes unchanged over proxies. It's not (re-)calculated on hop-by-hop basis.
Note: in your case there was no User-Password that is encrypted hop-by-hop basis. For this reason the Access-Request did not cause a password check error.
Note: RFC that defines Message-Authenticator attribute recommends using it with requets that have CHAP-Password.
https://tools.ietf.org/html/rfc2869#section-7.1
2) Which IP is used to generate MD5 Hash of Authenticator to send responses.
In this case it's the secret shared with the <Client ...> clause that matched IP 100.X.X.X.
If there's a NAT involved and the request was received from the IP address of NAT, this IP is used as the Client IP. In other words, in case of NAT, <Client ...> that was used was the one that matched NAT's address.
Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
