(RADIATOR) Fwd: Feature Suggestion: optional disabling of Tunnel-Password encryption in AuthRADIUS

Hugh Irvine hugh at open.com.au
Wed Apr 2 21:48:32 CST 2003 

Hello Valentin -

Many thanks for the contribution.

The patch is now available on the web site.

regards

Hugh


Begin forwarded message:

> From: Mike McCauley <mikem at open.com.au>
> Date: Thu Apr 3, 2003  10:12:52 Australia/Melbourne
> To: Hugh Irvine <hugh at open.com.au>
> Subject: Re: Fwd: Feature Suggestion: optional disabling of 
> Tunnel-Password encryption in AuthRADIUS
>
> Hi Hugh,
>
> added and uploaded.
> Pls send thanks to Valentin.
>
> Cheers.
>
> On Thu, 3 Apr 2003 08:51 am, Hugh Irvine wrote:
>> Mikey -
>>
>> Another contribution.
>>
>> cheers
>>
>> Hugh
>>
>> Begin forwarded message:
>>> From: Valentin Tumarkin <tv at xpert.com>
>>> Date: Wed Apr 2, 2003  21:55:08 Australia/Melbourne
>>> To: radiator at open.com.au
>>> Cc: Hugh Irvine <hugh at open.com.au>
>>> Subject: Feature Suggestion: optional disabling of Tunnel-Password
>>> encryption in AuthRADIUS
>>>
>>>
>>>  Hi,
>>>
>>> Some NASes and RADIUS Servers have the option not encrypt the
>>> Tunnel-Password attribute. Some of our clients use this option
>>> for backward-compatibility.
>>>
>>> If Radiator is deployed as a RADIUS Proxy in such environment
>>> it will still try to decrypt/re-encrypt Tunnel-Password, which would
>>> obviously be wrong.
>>>
>>> I suggest adding a new 'ClearTextTunnelPassword' config keyword flag 
>>> to
>>> AuthRADIUS. In addition to backward-compatibility this feature could
>>> also
>>> be useful for troubleshooting.
>>>
>>> In theory it should be possible to achieve the same effect with
>>> hooks (one to backup the Tunnel-Password attribute value before
>>> AuthRADIUS, and another in AuthRADIUS ReplyHook to restore it),
>>> however the solution below seems much cleaner to me.
>>>
>>> The required changes to the AuthRADIUS.pm are minimal:
>>>
>>> Change
>>> if (defined ($attr = $p->get_attr('Tunnel-Password')))
>>>
>>> To
>>> if (defined ($attr = $p->get_attr('Tunnel-Password')) and not
>>> $self->{ClearTextTunnelPassword} )
>>>
>>>
>>> And in %Radius::AuthRADIUS::ConfigKeywords add:
>>> 	'ClearTextTunnelPassword'               => 'flag',
>>>
>>>
>>>
>>>
>>> 	Best Regards,
>>>
>>> 	Valentin
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
> 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au
> Phone +61 3 9598-0985                       Fax   +61 3 9598-0955
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list