Hello all, Vincents patch is exactly the right answer. We will post a patch in about 2 days.
Cheers. On Thu, 16 Jan 2003 19:36, Hugh Irvine wrote: > Hello Vincent - > > Many thanks for the patch. This is indeed a bug. > > Mike will have a patch up on the web site in the next day or so (we > will post a message to the list). > > thanks again > > regards > > Hugh > > > On Friday, Jan 17, 2003, at 11:29 Australia/Melbourne, Vincent Hua > > wrote: > > Hi, there, > > > > I'm assuming all of you are using EAP-MD5 for authentication. We > > identified > > the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking > > out > > the source code, there was problems with the EAP_4.pm source code. > > Maybe the > > programming team can tell us whether this is a blind spot in the > > design or a > > failure in architect ? > > > > I have the fix here for your reference here. Other auth methods seem > > to be > > fine. > > > > Good luck! > > > > ====================================== > > Vincent Hua > > Vice President Operations > > Power2Roam Technologies Inc. > > ISG InfoTech Systems Group Inc. > > 13988 Cambie Road, Suite 313 (2/F) > > Richmond, BC, V6V 2K4 > > V: +1 (604) 303 6881 ext. 101 > > F: +1 (604) 303 6854 > > W: www.Power2Roam.com www.ISGGroup.com > > ICQ: 196980 http://wwp.icq.com/196980 > > > > > > =================== > > # EAP_4.pm > > # > > # Module for handling Authentication via EAP type 4 (MD5-Challenge) # > > # See > > RFCs 2869 2284 1994 # # Author: Mike McCauley ([EMAIL PROTECTED]) # > > Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9 > > 2002/11/07 > > 04:10:47 mikem Exp $ > > > > package Radius::EAP_4; > > use strict; > > > > ##################################################################### > > # request > > # Called by EAP.pm when a request is received for this protocol type > > sub > > request { > > my ($classname, $self, $context, $p, $data) = @_; > > > > return ($main::ACCEPT); > > } > > > > ##################################################################### > > # Called by EAP.pm when an EAP Response/Identity is received sub > > response_identity { > > my ($classname, $self, $context, $p) = @_; > > > > $context->{md5_challenge} = &Radius::Util::random_string(16); > > my $message = pack('C a16 a*', > > 16, # MD5 challenge length > > $context->{md5_challenge}, > > $main::hostname); > > $self->eap_request($p->{rp}, $context, > > $Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message); > > return ($main::CHALLENGE, 'EAP MD5-Challenge'); > > } > > > > ##################################################################### > > # Called by EAP.pm when an EAP Response (other than Identity) > > # is received > > # $id is the id of the received EAP response > > sub response > > { > > my ($classname, $self, $context, $p, $type, $typedata) = @_; > > > > # This should be a response to a challenge > > # we sent previously. The challenge is cached > > # in the challenges array, indexed by > > # challenge_id. The response should be the MD5 hash > > # the challenge_id, the password, the challenge > > my ($length, $response, $username) = unpack('C a16 a*', $typedata); > > > > # OK, now we need the user details to check the password > > my ($user, $result, $reason) = > > $self->get_user($context->{identity}, > > $p); > > if ($user && $result == $main::ACCEPT) > > { > > my $correct_password = $user->get_check->get_attr('User-Password') > > > > || $user->get_check->get_attr('Password') ; > > > > my $correct_response = Digest::MD5::md5 > > (chr($context->{this_id}) . > > $correct_password . $context->{md5_challenge}); > > > > if ($correct_response eq $response) > > { > > $self->eap_success($p->{rp}, $context); > > # add extra reply attributes for user <== NEXT > > LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM! > > $self->authoriseUser($user, $p); > > $self->adjustReply($p); > > return ($main::ACCEPT); > > } > > } > > $self->eap_failure($p->{rp}, $context); > > return ($main::REJECT, 'EAP MD5-Challenge failed'); > > } > > > > 1; > > > > ===================================================== > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > > Behalf Of engineering > > Sent: January 16, 2003 12:50 PM > > To: [EMAIL PROTECTED] > > Subject: Re: (RADIATOR) Problems with Colubris CN3000 > > > > > > Denis, > > > > We are encountering a very similar (if not the same) problem. We are > > also > > testing with a Colubris CN3000 and do not see the Colubris-AVPair > > attributes > > reaching the CN3000. Our radiator logs do not display the > > Colubris-AVPair > > attributes at all. > > > > This is for Radiator 3.5. > > > > We went back to 3.3.1, and the Colubris-AVPair attributes > > seem to be getting through. The Radiator logs and the Colubris logs > > both > > attest to this. > > > > > > Rodney Ebersole > > Abbco Inc. > > phone: (814) 234-9420 > > eMail: [EMAIL PROTECTED] > > IM: rebersoleabbcoinc [AIM, MSN, YAHOO] > > > > > > > > ----- Original Message ----- > > From: "Denis Beauchemin" <[EMAIL PROTECTED]> > > To: "Radiator" <[EMAIL PROTECTED]> > > Sent: Thursday, January 16, 2003 12:01 PM > > Subject: (RADIATOR) Problems with Colubris CN3000 > > > > > > Hello, > > > > We are testing a Colubris CN3000 802.1x wireless access point and are > > having > > some problems with it. (see > > http://www.colubris.com/en/products/public_access/CN3000/ for more > > info). > > > > The biggest one is the HTTP URLs that don't seem to be sent to (or > > accepted > > by) the unit. > > > > Here is what I have in radius.cfg (I am using Radiator 3.5): <Client > > 132.210.X.Y> > > Secret oursecret > > Identifier colubris > > </Client> > > <Handler Client-Identifier=colubris> > > MaxSessions 1 > > WtmpFileName %L/wtmp > > AcctLogFileName %L/accounting > > # PasswordLogFileName %L/password.log > > <AuthBy DBFILE> > > AutoMPPEKeys Yes > > AddToReply Service-Type = Framed-User,\ > > MS-MPPE-Encryption-Policy = Encryption-Allowed,\ > > MS-MPPE-Encryption-Types = Encryption-Any,\ > > Framed-Protocol = PPP,\ > > Framed-IP-Netmask = 255.255.255.255,\ > > Framed-Routing = None,\ > > Framed-MTU = 1500,\ > > Colubris-AVPair = > > "login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/ > > login.jsp?log > > inurl=%l",\ > > Colubris-AVPair = > > "session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ > > session.ht > > ml",\ > > Colubris-AVPair = > > "transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ > > transpor > > t.html",\ > > Colubris-AVPair = > > "fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/ > > fail.html",\ > > Colubris-AVPair = > > "logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\ > > Colubris-AVPair = > > "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443",\ > > Colubris-AVPair = > > "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80" > > Filename %D/usersdb > > RcryptKey our key > > </AuthBy> > > AuthLog Defaut > > </Handler> > > > > This is what I added to dictionary: > > VENDOR Colubris 8744 > > VENDORATTR 8744 Colubris-AVPair 0 string > > ATTRIBUTE Colubris-AVPair 0 string > > > > The Colubris-AVPair don't seem to get to the CN3000 when it logs on. > > > > Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf > > files. > > > > Thanks! > > -- > > Denis Beauchemin, analyste > > Université de Sherbrooke, S.T.I. > > T: 819.821.8000x2252 F: 819.821.8045 > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. -- I am travelling at the moment, and there may be delays in our correspondence. Mike McCauley, Open System Consultants, [EMAIL PROTECTED], www.open.com.au === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.