(RADIATOR) Problems with Colubris CN3000

Mike McCauley mikem at open.com.au
Fri Jan 17 18:06:56 CST 2003


Hello all,

Vincents patch is exactly the right answer.
We will post a patch in about 2 days.

Cheers.

On Thu, 16 Jan 2003 19:36, Hugh Irvine wrote:
> Hello Vincent -
>
> Many thanks for the patch. This is indeed a bug.
>
> Mike will have a patch up on the web site in the next day or so (we
> will post a message to the list).
>
> thanks again
>
> regards
>
> Hugh
>
>
> On Friday, Jan 17, 2003, at 11:29 Australia/Melbourne, Vincent Hua
>
> wrote:
> > Hi, there,
> >
> > I'm assuming all of you are using EAP-MD5 for authentication. We
> > identified
> > the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking
> > out
> > the source code, there was problems with the EAP_4.pm source code.
> > Maybe the
> > programming team can tell us whether this is a blind spot in the
> > design or a
> > failure in architect ?
> >
> > I have the fix here for your reference here. Other auth methods seem
> > to be
> > fine.
> >
> > Good luck!
> >
> > ======================================
> > Vincent Hua
> > Vice President Operations
> > Power2Roam Technologies Inc.
> > ISG InfoTech Systems Group Inc.
> > 13988 Cambie Road, Suite 313 (2/F)
> > Richmond, BC, V6V 2K4
> > V:  +1 (604) 303 6881 ext. 101
> > F:  +1 (604) 303 6854
> > W:	www.Power2Roam.com 	www.ISGGroup.com
> > ICQ: 196980	http://wwp.icq.com/196980
> >
> >
> > ===================
> > # EAP_4.pm
> > #
> > # Module for  handling Authentication via EAP type 4 (MD5-Challenge) #
> > # See
> > RFCs 2869 2284 1994 # # Author: Mike McCauley (mikem at open.com.au) #
> > Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9
> > 2002/11/07
> > 04:10:47 mikem Exp $
> >
> > package Radius::EAP_4;
> > use strict;
> >
> > #####################################################################
> > # request
> > # Called by EAP.pm when a request is received for this protocol type
> > sub
> > request {
> >     my ($classname, $self, $context, $p, $data) = @_;
> >
> >     return ($main::ACCEPT);
> > }
> >
> > #####################################################################
> > # Called by EAP.pm when an EAP Response/Identity is received sub
> > response_identity {
> >     my ($classname, $self, $context, $p) = @_;
> >
> >     $context->{md5_challenge} = &Radius::Util::random_string(16);
> >     my $message = pack('C a16 a*',
> > 		       16,  # MD5 challenge length
> > 		       $context->{md5_challenge},
> > 		       $main::hostname);
> >     $self->eap_request($p->{rp}, $context,
> > $Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message);
> >     return ($main::CHALLENGE, 'EAP MD5-Challenge');
> > }
> >
> > #####################################################################
> > # Called by EAP.pm when an EAP Response (other than Identity)
> > # is received
> > # $id is the id of the received EAP response
> > sub response
> > {
> >     my ($classname, $self, $context, $p, $type, $typedata) = @_;
> >
> >     # This should be a response to a challenge
> >     # we sent previously. The challenge is cached
> >     # in the challenges array, indexed by
> >     # challenge_id. The response should be the MD5 hash
> >     # the challenge_id, the password, the challenge
> >     my ($length, $response, $username) = unpack('C a16 a*', $typedata);
> >
> >     # OK, now we need the user details to check the password
> >     my ($user, $result, $reason) =
> > $self->get_user($context->{identity},
> > $p);
> >     if ($user && $result == $main::ACCEPT)
> >     {
> > 	my $correct_password = $user->get_check->get_attr('User-Password')
> >
> > 	    || $user->get_check->get_attr('Password') ;
> >
> > 	my $correct_response = Digest::MD5::md5
> > 	    (chr($context->{this_id}) .
> > 	     $correct_password . $context->{md5_challenge});
> >
> > 	if ($correct_response eq $response)
> > 	{
> > 	    $self->eap_success($p->{rp}, $context);
> > # add extra reply attributes for user				<==   NEXT
> > LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM!
> > 	    $self->authoriseUser($user, $p);
> > 	    $self->adjustReply($p);
> > 	    return ($main::ACCEPT);
> > 	}
> >     }
> >     $self->eap_failure($p->{rp}, $context);
> >     return ($main::REJECT, 'EAP MD5-Challenge failed');
> > }
> >
> > 1;
> >
> > =====================================================
> >
> >
> > -----Original Message-----
> > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> > Behalf Of engineering
> > Sent: January 16, 2003 12:50 PM
> > To: radiator at open.com.au
> > Subject: Re: (RADIATOR) Problems with Colubris CN3000
> >
> >
> > Denis,
> >
> > We are encountering a very similar (if not the same) problem. We are
> > also
> > testing with a Colubris CN3000 and do not see the Colubris-AVPair
> > attributes
> > reaching the CN3000.  Our radiator logs do not display the
> > Colubris-AVPair
> > attributes at all.
> >
> > This is for Radiator 3.5.
> >
> > We went back to 3.3.1, and the Colubris-AVPair attributes
> > seem to be getting through.  The Radiator logs and the Colubris logs
> > both
> > attest to this.
> >
> >
> > Rodney Ebersole
> > Abbco Inc.
> > phone: (814) 234-9420
> > eMail:   rebersole at abbcoinc.com
> > IM:       rebersoleabbcoinc [AIM, MSN, YAHOO]
> >
> >
> >
> > ----- Original Message -----
> > From: "Denis Beauchemin" <Denis.Beauchemin at USherbrooke.ca>
> > To: "Radiator" <radiator at open.com.au>
> > Sent: Thursday, January 16, 2003 12:01 PM
> > Subject: (RADIATOR) Problems with Colubris CN3000
> >
> >
> > Hello,
> >
> > We are testing a Colubris CN3000 802.1x wireless access point and are
> > having
> > some problems with it. (see
> > http://www.colubris.com/en/products/public_access/CN3000/ for more
> > info).
> >
> > The biggest one is the HTTP URLs that don't seem to be sent to (or
> > accepted
> > by) the unit.
> >
> > Here is what I have in radius.cfg (I am using Radiator 3.5): <Client
> > 132.210.X.Y>
> >     Secret oursecret
> >     Identifier  colubris
> > </Client>
> > <Handler Client-Identifier=colubris>
> >     MaxSessions 1
> >     WtmpFileName %L/wtmp
> >     AcctLogFileName %L/accounting
> > #   PasswordLogFileName %L/password.log
> >     <AuthBy DBFILE>
> >         AutoMPPEKeys    Yes
> >         AddToReply  Service-Type = Framed-User,\
> >         MS-MPPE-Encryption-Policy = Encryption-Allowed,\
> >         MS-MPPE-Encryption-Types = Encryption-Any,\
> >         Framed-Protocol = PPP,\
> >         Framed-IP-Netmask = 255.255.255.255,\
> >         Framed-Routing = None,\
> >         Framed-MTU = 1500,\
> >         Colubris-AVPair =
> > "login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > login.jsp?log
> > inurl=%l",\
> >         Colubris-AVPair =
> > "session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > session.ht
> > ml",\
> >         Colubris-AVPair =
> > "transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > transpor
> > t.html",\
> >         Colubris-AVPair =
> > "fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > fail.html",\
> >         Colubris-AVPair =
> > "logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\
> >         Colubris-AVPair =
> > "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443",\
> >         Colubris-AVPair =
> > "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80"
> >         Filename %D/usersdb
> >         RcryptKey our key
> >     </AuthBy>
> >     AuthLog Defaut
> > </Handler>
> >
> > This is what I added to dictionary:
> > VENDOR     Colubris    8744
> > VENDORATTR    8744   Colubris-AVPair   0   string
> > ATTRIBUTE            Colubris-AVPair   0   string
> >
> > The Colubris-AVPair don't seem to get to the CN3000 when it logs on.
> >
> > Any ideas?  I'm pretty sure I made a mistake in one of Radiator's conf
> > files.
> >
> > Thanks!
> > --
> > Denis Beauchemin, analyste
> > Université de Sherbrooke, S.T.I.
> > T: 819.821.8000x2252 F: 819.821.8045
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.

-- 
I am travelling at the moment, and there may be delays in our correspondence.
Mike McCauley, Open System Consultants, mikem at open.com.au, www.open.com.au

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list