(RADIATOR) Feature Suggestion: optional disabling of Tunnel-Password encryption in AuthRADIUS

Valentin Tumarkin tv at xpert.com
Wed Apr 2 05:55:08 CST 2003


 Hi,

Some NASes and RADIUS Servers have the option not encrypt the 
Tunnel-Password attribute. Some of our clients use this option
for backward-compatibility.

If Radiator is deployed as a RADIUS Proxy in such environment
it will still try to decrypt/re-encrypt Tunnel-Password, which would 
obviously be wrong.

I suggest adding a new 'ClearTextTunnelPassword' config keyword flag to 
AuthRADIUS. In addition to backward-compatibility this feature could also 
be useful for troubleshooting.

In theory it should be possible to achieve the same effect with
hooks (one to backup the Tunnel-Password attribute value before 
AuthRADIUS, and another in AuthRADIUS ReplyHook to restore it), 
however the solution below seems much cleaner to me. 

The required changes to the AuthRADIUS.pm are minimal:

Change
if (defined ($attr = $p->get_attr('Tunnel-Password')))

To
if (defined ($attr = $p->get_attr('Tunnel-Password')) and not $self->{ClearTextTunnelPassword} )


And in %Radius::AuthRADIUS::ConfigKeywords add:
	'ClearTextTunnelPassword'               => 'flag',




	Best Regards,

	Valentin


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list