Hello Nacho -
On Wed, 25 Oct 2000, Nacho Paredes wrote:
> Hello:
>
> We are using Radiator 2.13.1 with openLDAP and works fine, but we need a
> special IP allocation mechanism so we are moving to version 2.16.3 with
> openLDAP and MySQL for the IP allocation.
> We have installed all the required software and configured a test realm.
> The tests with radpwtst works ok, the access is granted and the IP is
> right allocated.
> The problem is that when we try a dial-in access we get this log:
>
Could you send me a copy of your configuration file (no secrets) and a more
complete trace 4 showing what is happening?
> Authentic that are different (by the way, what is this Authentic: line?)
>
Its the Radius authenticator.
>From rfc2865.txt (in the doc directory of your Radiator distribution):
Section 3
.....
Authenticator
The Authenticator field is sixteen (16) octets. The most
significant octet is transmitted first. This value is used to
authenticate the reply from the RADIUS server, and is used in the
password hiding algorithm.
Request Authenticator
In Access-Request Packets, the Authenticator value is a 16
octet random number, called the Request Authenticator. The
value SHOULD be unpredictable and unique over the lifetime of a
secret (the password shared between the client and the RADIUS
server), since repetition of a request value in conjunction
with the same secret would permit an attacker to reply with a
previously intercepted response. Since it is expected that the
same secret MAY be used to authenticate with servers in
disparate geographic regions, the Request Authenticator field
SHOULD exhibit global and temporal uniqueness.
The Request Authenticator value in an Access-Request packet
SHOULD also be unpredictable, lest an attacker trick a server
into responding to a predicted future request, and then use the
response to masquerade as that server to a future Access-
Request.
Although protocols such as RADIUS are incapable of protecting
against theft of an authenticated session via realtime active
wiretapping attacks, generation of unique unpredictable
requests can protect against a wide range of active attacks
against authentication.
The NAS and RADIUS server share a secret. That shared secret
followed by the Request Authenticator is put through a one-way
MD5 hash to create a 16 octet digest value which is xored with
the password entered by the user, and the xored result placed
in the User-Password attribute in the Access-Request packet.
See the entry for User-Password in the section on Attributes
for a more detailed description.
......
> We'll be very pleased if somebody can help us with this.
>
regards
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
