(RADIATOR) Problems with Colubris CN3000

Vincent Hua Vincent.Hua at Power2Roam.com
Thu Jan 16 22:37:18 CST 2003 

Your are welcome, Hugh. Just figure we all should help each other. :-)

Regards,

Vincent

-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: January 16, 2003 4:37 PM
To: Vincent.Hua at Power2Roam.com; mikem at open.com.au
Cc: 'engineering'; radiator at open.com.au
Subject: Re: (RADIATOR) Problems with Colubris CN3000



Hello Vincent -

Many thanks for the patch. This is indeed a bug.

Mike will have a patch up on the web site in the next day or so (we  
will post a message to the list).

thanks again

regards

Hugh


On Friday, Jan 17, 2003, at 11:29 Australia/Melbourne, Vincent Hua  
wrote:

> Hi, there,
>
> I'm assuming all of you are using EAP-MD5 for authentication. We
> identified
> the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking  
> out
> the source code, there was problems with the EAP_4.pm source code.  
> Maybe the
> programming team can tell us whether this is a blind spot in the  
> design or a
> failure in architect ?
>
> I have the fix here for your reference here. Other auth methods seem
> to be
> fine.
>
> Good luck!
>
> ======================================
> Vincent Hua
> Vice President Operations
> Power2Roam Technologies Inc.
> ISG InfoTech Systems Group Inc.
> 13988 Cambie Road, Suite 313 (2/F)
> Richmond, BC, V6V 2K4
> V:  +1 (604) 303 6881 ext. 101
> F:  +1 (604) 303 6854
> W:	www.Power2Roam.com 	www.ISGGroup.com	
> ICQ: 196980	http://wwp.icq.com/196980
>
>
> ===================
> # EAP_4.pm
> #
> # Module for  handling Authentication via EAP type 4 (MD5-Challenge) #
> # See
> RFCs 2869 2284 1994 # # Author: Mike McCauley (mikem at open.com.au) #
> Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9  
> 2002/11/07
> 04:10:47 mikem Exp $
>
> package Radius::EAP_4;
> use strict;
>
> #####################################################################
> # request
> # Called by EAP.pm when a request is received for this protocol type
> sub
> request {
>     my ($classname, $self, $context, $p, $data) = @_;
>
>     return ($main::ACCEPT);
> }
>
> #####################################################################
> # Called by EAP.pm when an EAP Response/Identity is received sub 
> response_identity {
>     my ($classname, $self, $context, $p) = @_;
>
>     $context->{md5_challenge} = &Radius::Util::random_string(16);
>     my $message = pack('C a16 a*',
> 		       16,  # MD5 challenge length
> 		       $context->{md5_challenge},
> 		       $main::hostname);
>     $self->eap_request($p->{rp}, $context, 
> $Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message);
>     return ($main::CHALLENGE, 'EAP MD5-Challenge');
> }
>
> #####################################################################
> # Called by EAP.pm when an EAP Response (other than Identity) # is 
> received # $id is the id of the received EAP response
> sub response
> {
>     my ($classname, $self, $context, $p, $type, $typedata) = @_;
>
>     # This should be a response to a challenge
>     # we sent previously. The challenge is cached
>     # in the challenges array, indexed by
>     # challenge_id. The response should be the MD5 hash
>     # the challenge_id, the password, the challenge
>     my ($length, $response, $username) = unpack('C a16 a*', 
> $typedata);
>
>     # OK, now we need the user details to check the password
>     my ($user, $result, $reason) =
> $self->get_user($context->{identity},
> $p);
>     if ($user && $result == $main::ACCEPT)
>     {
> 	my $correct_password = $user->get_check->get_attr('User-Password')
> 	    || $user->get_check->get_attr('Password') ;
> 	my $correct_response = Digest::MD5::md5
> 	    (chr($context->{this_id}) .
> 	     $correct_password . $context->{md5_challenge});
> 	
> 	if ($correct_response eq $response)
> 	{
> 	    $self->eap_success($p->{rp}, $context);
> # add extra reply attributes for user				<==   NEXT
> LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM!
> 	    $self->authoriseUser($user, $p);
> 	    $self->adjustReply($p);
> 	    return ($main::ACCEPT);
> 	}
>     }
>     $self->eap_failure($p->{rp}, $context);
>     return ($main::REJECT, 'EAP MD5-Challenge failed');
> }
>
> 1;
>
> =====================================================
>
>
> -----Original Message-----
> From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] 
> On Behalf Of engineering
> Sent: January 16, 2003 12:50 PM
> To: radiator at open.com.au
> Subject: Re: (RADIATOR) Problems with Colubris CN3000
>
>
> Denis,
>
> We are encountering a very similar (if not the same) problem. We are
> also
> testing with a Colubris CN3000 and do not see the Colubris-AVPair  
> attributes
> reaching the CN3000.  Our radiator logs do not display the  
> Colubris-AVPair
> attributes at all.
>
> This is for Radiator 3.5.
>
> We went back to 3.3.1, and the Colubris-AVPair attributes seem to be 
> getting through.  The Radiator logs and the Colubris logs
> both
> attest to this.
>
>
> Rodney Ebersole
> Abbco Inc.
> phone: (814) 234-9420
> eMail:   rebersole at abbcoinc.com
> IM:       rebersoleabbcoinc [AIM, MSN, YAHOO]
>
>
>
> ----- Original Message -----
> From: "Denis Beauchemin" <Denis.Beauchemin at USherbrooke.ca>
> To: "Radiator" <radiator at open.com.au>
> Sent: Thursday, January 16, 2003 12:01 PM
> Subject: (RADIATOR) Problems with Colubris CN3000
>
>
> Hello,
>
> We are testing a Colubris CN3000 802.1x wireless access point and are
> having
> some problems with it. (see
> http://www.colubris.com/en/products/public_access/CN3000/ for more  
> info).
>
> The biggest one is the HTTP URLs that don't seem to be sent to (or
> accepted
> by) the unit.
>
> Here is what I have in radius.cfg (I am using Radiator 3.5): <Client 
> 132.210.X.Y>
>     Secret oursecret
>     Identifier  colubris
> </Client>
> <Handler Client-Identifier=colubris>
>     MaxSessions 1
>     WtmpFileName %L/wtmp
>     AcctLogFileName %L/accounting
> #   PasswordLogFileName %L/password.log
>     <AuthBy DBFILE>
>         AutoMPPEKeys    Yes
>         AddToReply  Service-Type = Framed-User,\
>         MS-MPPE-Encryption-Policy = Encryption-Allowed,\
>         MS-MPPE-Encryption-Types = Encryption-Any,\
>         Framed-Protocol = PPP,\
>         Framed-IP-Netmask = 255.255.255.255,\
>         Framed-Routing = None,\
>         Framed-MTU = 1500,\
>         Colubris-AVPair = 
> "login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/
> login.jsp?log
> inurl=%l",\
>         Colubris-AVPair = 
> "session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> session.ht
> ml",\
>         Colubris-AVPair = 
> "transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> transpor
> t.html",\
>         Colubris-AVPair = 
> "fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> fail.html",\
>         Colubris-AVPair = 
> "logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\
>         Colubris-AVPair = 
> "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443",\
>         Colubris-AVPair =
> "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80"
>         Filename %D/usersdb
>         RcryptKey our key
>     </AuthBy>
>     AuthLog Defaut
> </Handler>
>
> This is what I added to dictionary:
> VENDOR     Colubris    8744
> VENDORATTR    8744   Colubris-AVPair   0   string
> ATTRIBUTE            Colubris-AVPair   0   string
>
> The Colubris-AVPair don't seem to get to the CN3000 when it logs on.
>
> Any ideas?  I'm pretty sure I made a mistake in one of Radiator's conf 
> files.
>
> Thanks!
> --
> Denis Beauchemin, analyste
> Université de Sherbrooke, S.T.I.
> T: 819.821.8000x2252 F: 819.821.8045
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe 
> radiator' in the body of the message.
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe 
> radiator' in the body of the message.
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe 
> radiator' in the body of the message.
>
>

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list