Hello Vincent -
Many thanks for the patch. This is indeed a bug.
Mike will have a patch up on the web site in the next day or so (we will post a message to the list).
thanks again
regards
Hugh
On Friday, Jan 17, 2003, at 11:29 Australia/Melbourne, Vincent Hua wrote:
Hi, there,
I'm assuming all of you are using EAP-MD5 for authentication. We identified
the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking out
the source code, there was problems with the EAP_4.pm source code. Maybe the
programming team can tell us whether this is a blind spot in the design or a
failure in architect ?
I have the fix here for your reference here. Other auth methods seem to be
fine.
Good luck!
======================================
Vincent Hua
Vice President Operations
Power2Roam Technologies Inc.
ISG InfoTech Systems Group Inc.
13988 Cambie Road, Suite 313 (2/F)
Richmond, BC, V6V 2K4
V: +1 (604) 303 6881 ext. 101
F: +1 (604) 303 6854
W: www.Power2Roam.com www.ISGGroup.com
ICQ: 196980 http://wwp.icq.com/196980
===================
# EAP_4.pm
#
# Module for handling Authentication via EAP type 4 (MD5-Challenge) # # See
RFCs 2869 2284 1994 # # Author: Mike McCauley ([EMAIL PROTECTED]) #
Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9 2002/11/07
04:10:47 mikem Exp $
package Radius::EAP_4;
use strict;
#####################################################################
# request
# Called by EAP.pm when a request is received for this protocol type sub
request {
my ($classname, $self, $context, $p, $data) = @_;
return ($main::ACCEPT);
}
#####################################################################
# Called by EAP.pm when an EAP Response/Identity is received sub
response_identity {
my ($classname, $self, $context, $p) = @_;
$context->{md5_challenge} = &Radius::Util::random_string(16);
my $message = pack('C a16 a*',
16, # MD5 challenge length
$context->{md5_challenge},
$main::hostname);
$self->eap_request($p->{rp}, $context,
$Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message);
return ($main::CHALLENGE, 'EAP MD5-Challenge');
}
#####################################################################
# Called by EAP.pm when an EAP Response (other than Identity)
# is received
# $id is the id of the received EAP response
sub response
{
my ($classname, $self, $context, $p, $type, $typedata) = @_;
# This should be a response to a challenge
# we sent previously. The challenge is cached
# in the challenges array, indexed by
# challenge_id. The response should be the MD5 hash
# the challenge_id, the password, the challenge
my ($length, $response, $username) = unpack('C a16 a*', $typedata);
# OK, now we need the user details to check the password
my ($user, $result, $reason) = $self->get_user($context->{identity},
$p);
if ($user && $result == $main::ACCEPT)
{
my $correct_password = $user->get_check->get_attr('User-Password')
|| $user->get_check->get_attr('Password') ;
my $correct_response = Digest::MD5::md5
(chr($context->{this_id}) .
$correct_password . $context->{md5_challenge});
if ($correct_response eq $response)
{
$self->eap_success($p->{rp}, $context);
# add extra reply attributes for user <== NEXT
LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM!
$self->authoriseUser($user, $p);
$self->adjustReply($p);
return ($main::ACCEPT);
}
}
$self->eap_failure($p->{rp}, $context);
return ($main::REJECT, 'EAP MD5-Challenge failed');
}
1;
=====================================================
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
Behalf Of engineering
Sent: January 16, 2003 12:50 PM
To: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) Problems with Colubris CN3000
Denis,
We are encountering a very similar (if not the same) problem. We are also
testing with a Colubris CN3000 and do not see the Colubris-AVPair attributes
reaching the CN3000. Our radiator logs do not display the Colubris-AVPair
attributes at all.
This is for Radiator 3.5.
We went back to 3.3.1, and the Colubris-AVPair attributes
seem to be getting through. The Radiator logs and the Colubris logs both
attest to this.
Rodney Ebersole
Abbco Inc.
phone: (814) 234-9420
eMail: [EMAIL PROTECTED]
IM: rebersoleabbcoinc [AIM, MSN, YAHOO]
----- Original Message -----
From: "Denis Beauchemin" <[EMAIL PROTECTED]>
To: "Radiator" <[EMAIL PROTECTED]>
Sent: Thursday, January 16, 2003 12:01 PM
Subject: (RADIATOR) Problems with Colubris CN3000
Hello,
We are testing a Colubris CN3000 802.1x wireless access point and are having
some problems with it. (see
http://www.colubris.com/en/products/public_access/CN3000/ for more info).
The biggest one is the HTTP URLs that don't seem to be sent to (or accepted
by) the unit.
Here is what I have in radius.cfg (I am using Radiator 3.5): <Client
132.210.X.Y>
Secret oursecret
Identifier colubris
</Client>
<Handler Client-Identifier=colubris>
MaxSessions 1
WtmpFileName %L/wtmp
AcctLogFileName %L/accounting
# PasswordLogFileName %L/password.log
<AuthBy DBFILE>
AutoMPPEKeys Yes
AddToReply Service-Type = Framed-User,\
MS-MPPE-Encryption-Policy = Encryption-Allowed,\
MS-MPPE-Encryption-Types = Encryption-Any,\
Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Colubris-AVPair =
"login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/ login.jsp?log
inurl=%l",\
Colubris-AVPair =
"session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ session.ht
ml",\
Colubris-AVPair =
"transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ transpor
t.html",\
Colubris-AVPair =
"fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ fail.html",\
Colubris-AVPair =
"logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\
Colubris-AVPair =
"access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443",\
Colubris-AVPair = "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80"
Filename %D/usersdb
RcryptKey our key
</AuthBy>
AuthLog Defaut
</Handler>
This is what I added to dictionary:
VENDOR Colubris 8744
VENDORATTR 8744 Colubris-AVPair 0 string
ATTRIBUTE Colubris-AVPair 0 string
The Colubris-AVPair don't seem to get to the CN3000 when it logs on.
Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf
files.
Thanks!
--
Denis Beauchemin, analyste
Universit� de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
![https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\](https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\){kind=link}