[RADIATOR] Message-Authenticator Attribute

[Renfer Stefan]

Hi,

 

We're using the Radiator 4.10 as proxy for EAP-SIM authentication. We're
aggregating 802.1x capable Wi-Fi networks on one side and proxy the
requests to a EAP-SIM Gateway. This works fine with the current networks
that we've connected, but in my opinion the content of the
Message-Authenticator attribute is wrong (maybe I have a wrong
understanding in the definition of the RFC2869) and we may face an issue
when we connect a network that does a proper check on the content of
this attribute.

 

According to the RFC2869 the Message-Authenticator is defined as 

 

Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request
Authenticator, Attributes)

 

And therefore the Message-Authenticator should be recalculate on a proxy
as some of those are different,  but it doesn't as you can see in the
logs below:

 

Request from Client and forward to EAP-SIM Gateway

 

Mon Nov 12 15:59:45 2012 776032: DEBUG: Packet dump:

*** Received from 10.80.100.20 port 15449 ....

Code:       Access-Request

Identifier: 249

Authentic:  <247><22>wO<168><169>v<136>2C<130><12><231>8<220><198>

Attributes:

        User-Name =
"1xxxxxxxxxxxx...@wlan.mncxxx.mccxxx.3gppnetwork.org"

        NAS-IP-Address = 10.50.121.1

        NAS-Port = 0

        Called-Station-Id = "32-09-0F-48-1D-27:WiFi Key2roam"

        Calling-Station-Id = "00-1B-63-D2-87-8D"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-IEEE-802-11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
<2><2><0><28><18><11><0><0><11><5><0><0><229><145><227><23><209>2<251>oZ
_<177><134><27>n<12>|

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator = <134>y+ku<186><190>g<146><131>tv{}*<138>

 

Mon Nov 12 15:59:45 2012 776739: DEBUG: Handling request with Handler
'Realm=wlan.mncXXX.mccXXX.3gppnetwork.org', Identifier ''

Mon Nov 12 15:59:45 2012 777210: DEBUG:  Deleting session for
1xxxxxxxxxxxx...@wlan.mncxxx.mccxxx.3gppnetwork.org, 0.0.0.1, 0

Mon Nov 12 15:59:45 2012 777529: DEBUG: Handling with Radius::AuthRADIUS

Mon Nov 12 15:59:45 2012 779075: DEBUG: Packet dump:

*** Sending to 87.198.157.22 port 1812 ....

Code:       Access-Request

Identifier: 4

Authentic:  <247><22>wO<168><169>v<136>2C<130><12><231>8<220><198>

Attributes:

        User-Name =
"1xxxxxxxxxxxx...@wlan.mncxxx.mccxxx.3gppnetwork.org"

        NAS-Port = 0

       Called-Station-Id = "32-09-0F-48-1D-27:WiFi Key2roam"

        Calling-Station-Id = "00-1B-63-D2-87-8D"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-IEEE-802-11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
<2><2><0><28><18><11><0><0><11><5><0><0><229><145><227><23><209>2<251>oZ
_<177><134><27>n<12>|

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator = <134>y+ku<186><190>g<146><131>tv{}*<138>

        NAS-IP-Address = 0.0.0.1

Response from EAP-SIM Gateway and forward to Client

 

Mon Nov 12 15:59:45 2012 779498: DEBUG: AuthBy RADIUS result: IGNORE,

Mon Nov 12 15:59:46 2012 050564: DEBUG: Received reply in AuthRADIUS for
req 4 from 87.198.157.22:1812

Mon Nov 12 15:59:46 2012 051846: DEBUG: Packet dump:

*** Received from 87.198.157.22 port 1812 ....

Code:       Access-Accept

Identifier: 4

Authentic:  <155>W3n`;<237><255>F<170><29>Vp<191><236>p

Attributes:

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator =
s<198>h<167>O<217><253><226>/<251><8><225>p<18><226><241>

        EAP-Message = <3><0><0><4>

        User-Name =
"1xxxxxxxxxxxx...@wlan.mncxxx.mccxxx.3gppnetwork.org"

        Chargeable-User-Identity = "01:XXXXXXXXXXXXXXX"

        MS-MPPE-Recv-Key =
"<139><237>m<154><247><173><143><231><200><22><162>.<139>CO<11>b<205><21
9><18>U<237>;<186><201><187>_9<196><127><238><0>"

        MS-MPPE-Send-Key =
"<241>'z<180><140><142>^G<143><21>M<133><232><224><4><213><244>\<164><14
7>/<132><23>z*<182><149><143>H@<179><17>"

        MS-MPPE-Encryption-Policy = Encryption-Allowed

        MS-MPPE-Encryption-Types = Encryption-Any

 

Mon Nov 12 15:59:46 2012 052266: DEBUG: Access accepted for
1xxxxxxxxxxxx...@wlan.mncxxx.mccxxx.3gppnetwork.org

Mon Nov 12 15:59:46 2012 054133: DEBUG: Packet dump:

*** Sending to 10.80.100.20 port 15449 ....

Code:       Access-Accept

Identifier: 249

Authentic:  %<156><249><179><133><3>i<246>KR<185><178><24><176><215>t

Attributes:

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator =
s<198>h<167>O<217><253><226>/<251><8><225>p<18><226><241>

        EAP-Message = <3><0><0><4>

        User-Name =
"1xxxxxxxxxxxx...@wlan.mncxxx.mccxxx.3gppnetwork.org"

        Chargeable-User-Identity = "01:XXXXXXXXXXXXXXX"

       MS-MPPE-Recv-Key =
"<139><237>m<154><247><173><143><231><200><22><162>.<139>CO<11>b<205><21
9><18>U<237>;<186><201><187>_9<196><127><238><0>"

        MS-MPPE-Send-Key =
"<241>'z<180><140><142>^G<143><21>M<133><232><224><4><213><244>\<164><14
7>/<132><23>z*<182><149><143>H@<179><17>"

        MS-MPPE-Encryption-Policy = Encryption-Allowed

        MS-MPPE-Encryption-Types = Encryption-Any

 

As said before, currently this works for our setup, but we may face an
issue in the future (or I just misinterpreted the RFC wrongly). Attached
to this mail you'll find a stripped configuration file that may needs to
be adapted. Thanks for your support!

 

Have a nice day!

Kind regards

 

Stefan Renfer

 

Comfone AG

Nussbaumstrasse 25

P.O. Box

3000 Bern 22

Switzerland

 

Phone:  +41 31 341 13 64

Fax:     +41 31 341 11 01

Mobile: +41 78 708 55 38

Email:   stefan.ren...@comfone.com

Web:    www.comfone.com <http://www.comfone.com> 

 

NOTICE - This message contains information intended only for the use of
those addressees named above. It may also be confidential and/or
privileged. If you are not the intended recipient of this message you
are hereby notified that you must not disseminate, copy or take any
action in reliance on it. If you have received this message in error
please notify the sender.

 


#---------------- EAP SIM Proxy configuration --------------------
      User            radiator
      Group           radiator
      AuthPort        1812
      AcctPort
      Trace           4
#---------------------- directories ------------------------------

      LogDir          /var/log/radius
      DbDir           /etc/radiator
      LogFile

      <Log FILE>
        Filename %L/logfile_radiator_auth
        LogMicroseconds
        Trace 4
      </Log>


#------------------ VSA Directories ----------------------------

DictionaryFile      %D/dictionaries/dictionary,\
                     %D/dictionaries/dictionary.sim,\
                    %D/dictionaries/dictionary.weroam,\
                    %D/dictionaries/dictionary.wispr,\
                    %D/dictionaries/dictionary.3gpp2

#------------------ RADIUS Clients  ----------------------------

<Client 10.80.100.20>
        Secret XXX
        StripFromRequest NAS-IP-Address
        AddToRequest NAS-IP-Address=0.0.0.1
</Client>

#------------------ RADIUS Realms  ----------------------------

<Handler Realm=wlan.mncXXX.mccXXX.3gppnetwork.org>

   RejectHasReason
                
   <AuthBy RADIUS>
      <Host 87.198.157.22>
         Secret XXX
         AuthPort 1812
         AcctPort 1813
      </Host>
      EAPType SIM
   </AuthBy>
</Handler>

_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator