Hi, there, I'm assuming all of you are using EAP-MD5 for authentication. We identified the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking out the source code, there was problems with the EAP_4.pm source code. Maybe the programming team can tell us whether this is a blind spot in the design or a failure in architect ?
I have the fix here for your reference here. Other auth methods seem to be fine. Good luck! ====================================== Vincent Hua Vice President Operations Power2Roam Technologies Inc. ISG InfoTech Systems Group Inc. 13988 Cambie Road, Suite 313 (2/F) Richmond, BC, V6V 2K4 V: +1 (604) 303 6881 ext. 101 F: +1 (604) 303 6854 W: www.Power2Roam.com www.ISGGroup.com ICQ: 196980 http://wwp.icq.com/196980 =================== # EAP_4.pm # # Module for handling Authentication via EAP type 4 (MD5-Challenge) # # See RFCs 2869 2284 1994 # # Author: Mike McCauley ([EMAIL PROTECTED]) # Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9 2002/11/07 04:10:47 mikem Exp $ package Radius::EAP_4; use strict; ##################################################################### # request # Called by EAP.pm when a request is received for this protocol type sub request { my ($classname, $self, $context, $p, $data) = @_; return ($main::ACCEPT); } ##################################################################### # Called by EAP.pm when an EAP Response/Identity is received sub response_identity { my ($classname, $self, $context, $p) = @_; $context->{md5_challenge} = &Radius::Util::random_string(16); my $message = pack('C a16 a*', 16, # MD5 challenge length $context->{md5_challenge}, $main::hostname); $self->eap_request($p->{rp}, $context, $Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message); return ($main::CHALLENGE, 'EAP MD5-Challenge'); } ##################################################################### # Called by EAP.pm when an EAP Response (other than Identity) # is received # $id is the id of the received EAP response sub response { my ($classname, $self, $context, $p, $type, $typedata) = @_; # This should be a response to a challenge # we sent previously. The challenge is cached # in the challenges array, indexed by # challenge_id. The response should be the MD5 hash # the challenge_id, the password, the challenge my ($length, $response, $username) = unpack('C a16 a*', $typedata); # OK, now we need the user details to check the password my ($user, $result, $reason) = $self->get_user($context->{identity}, $p); if ($user && $result == $main::ACCEPT) { my $correct_password = $user->get_check->get_attr('User-Password') || $user->get_check->get_attr('Password') ; my $correct_response = Digest::MD5::md5 (chr($context->{this_id}) . $correct_password . $context->{md5_challenge}); if ($correct_response eq $response) { $self->eap_success($p->{rp}, $context); # add extra reply attributes for user <== NEXT LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM! $self->authoriseUser($user, $p); $self->adjustReply($p); return ($main::ACCEPT); } } $self->eap_failure($p->{rp}, $context); return ($main::REJECT, 'EAP MD5-Challenge failed'); } 1; ===================================================== -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of engineering Sent: January 16, 2003 12:50 PM To: [EMAIL PROTECTED] Subject: Re: (RADIATOR) Problems with Colubris CN3000 Denis, We are encountering a very similar (if not the same) problem. We are also testing with a Colubris CN3000 and do not see the Colubris-AVPair attributes reaching the CN3000. Our radiator logs do not display the Colubris-AVPair attributes at all. This is for Radiator 3.5. We went back to 3.3.1, and the Colubris-AVPair attributes seem to be getting through. The Radiator logs and the Colubris logs both attest to this. Rodney Ebersole Abbco Inc. phone: (814) 234-9420 eMail: [EMAIL PROTECTED] IM: rebersoleabbcoinc [AIM, MSN, YAHOO] ----- Original Message ----- From: "Denis Beauchemin" <[EMAIL PROTECTED]> To: "Radiator" <[EMAIL PROTECTED]> Sent: Thursday, January 16, 2003 12:01 PM Subject: (RADIATOR) Problems with Colubris CN3000 Hello, We are testing a Colubris CN3000 802.1x wireless access point and are having some problems with it. (see http://www.colubris.com/en/products/public_access/CN3000/ for more info). The biggest one is the HTTP URLs that don't seem to be sent to (or accepted by) the unit. Here is what I have in radius.cfg (I am using Radiator 3.5): <Client 132.210.X.Y> Secret oursecret Identifier colubris </Client> <Handler Client-Identifier=colubris> MaxSessions 1 WtmpFileName %L/wtmp AcctLogFileName %L/accounting # PasswordLogFileName %L/password.log <AuthBy DBFILE> AutoMPPEKeys Yes AddToReply Service-Type = Framed-User,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Colubris-AVPair = "login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/login.jsp?log inurl=%l",\ Colubris-AVPair = "session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/session.ht ml",\ Colubris-AVPair = "transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/transpor t.html",\ Colubris-AVPair = "fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/fail.html",\ Colubris-AVPair = "logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\ Colubris-AVPair = "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443",\ Colubris-AVPair = "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80" Filename %D/usersdb RcryptKey our key </AuthBy> AuthLog Defaut </Handler> This is what I added to dictionary: VENDOR Colubris 8744 VENDORATTR 8744 Colubris-AVPair 0 string ATTRIBUTE Colubris-AVPair 0 string The Colubris-AVPair don't seem to get to the CN3000 when it logs on. Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf files. Thanks! -- Denis Beauchemin, analyste Université de Sherbrooke, S.T.I. T: 819.821.8000x2252 F: 819.821.8045 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.