(RADIATOR) Feature Suggestion: optional disabling of Tunnel-Password encryption in AuthRADIUS
Valentin Tumarkin
tv at xpert.com
Wed Apr 2 05:55:08 CST 2003
Hi,
Some NASes and RADIUS Servers have the option not encrypt the
Tunnel-Password attribute. Some of our clients use this option
for backward-compatibility.
If Radiator is deployed as a RADIUS Proxy in such environment
it will still try to decrypt/re-encrypt Tunnel-Password, which would
obviously be wrong.
I suggest adding a new 'ClearTextTunnelPassword' config keyword flag to
AuthRADIUS. In addition to backward-compatibility this feature could also
be useful for troubleshooting.
In theory it should be possible to achieve the same effect with
hooks (one to backup the Tunnel-Password attribute value before
AuthRADIUS, and another in AuthRADIUS ReplyHook to restore it),
however the solution below seems much cleaner to me.
The required changes to the AuthRADIUS.pm are minimal:
Change
if (defined ($attr = $p->get_attr('Tunnel-Password')))
To
if (defined ($attr = $p->get_attr('Tunnel-Password')) and not $self->{ClearTextTunnelPassword} )
And in %Radius::AuthRADIUS::ConfigKeywords add:
'ClearTextTunnelPassword' => 'flag',
Best Regards,
Valentin
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list