Fwd: Re: (RADIATOR) Problems with Colubris CN3000
Mike McCauley
mikem at open.com.au
Sun Jan 19 17:41:17 CST 2003
Hello all,
The patch for this problem is now available in the Radiator 3.5 patches area.
Cheers.
On Tue, 21 Jan 2003 02:48, Mike McCauley wrote:
> ---------- Forwarded Message ----------
>
> Subject: Re: (RADIATOR) Problems with Colubris CN3000
> Date: Fri, 17 Jan 2003 19:06:56 -0500
> From: Mike McCauley <mikem at open.com.au>
> To: Hugh Irvine <hugh at open.com.au>, <Vincent.Hua at Power2Roam.com>
> Cc: "'engineering'" <engineering at abbcoinc.com>, <radiator at open.com.au>
>
> Hello all,
>
> Vincents patch is exactly the right answer.
> We will post a patch in about 2 days.
>
> Cheers.
>
> On Thu, 16 Jan 2003 19:36, Hugh Irvine wrote:
> > Hello Vincent -
> >
> > Many thanks for the patch. This is indeed a bug.
> >
> > Mike will have a patch up on the web site in the next day or so (we
> > will post a message to the list).
> >
> > thanks again
> >
> > regards
> >
> > Hugh
> >
> >
> > On Friday, Jan 17, 2003, at 11:29 Australia/Melbourne, Vincent Hua
> >
> > wrote:
> > > Hi, there,
> > >
> > > I'm assuming all of you are using EAP-MD5 for authentication. We
> > > identified
> > > the same problem with 3.5. 3.3.1 didn't have the issue. Upon checking
> > > out
> > > the source code, there was problems with the EAP_4.pm source code.
> > > Maybe the
> > > programming team can tell us whether this is a blind spot in the
> > > design or a
> > > failure in architect ?
> > >
> > > I have the fix here for your reference here. Other auth methods seem
> > > to be
> > > fine.
> > >
> > > Good luck!
> > >
> > > ======================================
> > > Vincent Hua
> > > Vice President Operations
> > > Power2Roam Technologies Inc.
> > > ISG InfoTech Systems Group Inc.
> > > 13988 Cambie Road, Suite 313 (2/F)
> > > Richmond, BC, V6V 2K4
> > > V: +1 (604) 303 6881 ext. 101
> > > F: +1 (604) 303 6854
> > > W: www.Power2Roam.com www.ISGGroup.com
> > > ICQ: 196980 http://wwp.icq.com/196980
> > >
> > >
> > > ===================
> > > # EAP_4.pm
> > > #
> > > # Module for handling Authentication via EAP type 4 (MD5-Challenge) #
> > > # See
> > > RFCs 2869 2284 1994 # # Author: Mike McCauley (mikem at open.com.au) #
> > > Copyright (C) 2001 Open System Consultants # $Id: EAP_4.pm,v 1.9
> > > 2002/11/07
> > > 04:10:47 mikem Exp $
> > >
> > > package Radius::EAP_4;
> > > use strict;
> > >
> > > #####################################################################
> > > # request
> > > # Called by EAP.pm when a request is received for this protocol type
> > > sub
> > > request {
> > > my ($classname, $self, $context, $p, $data) = @_;
> > >
> > > return ($main::ACCEPT);
> > > }
> > >
> > > #####################################################################
> > > # Called by EAP.pm when an EAP Response/Identity is received sub
> > > response_identity {
> > > my ($classname, $self, $context, $p) = @_;
> > >
> > > $context->{md5_challenge} = &Radius::Util::random_string(16);
> > > my $message = pack('C a16 a*',
> > > 16, # MD5 challenge length
> > > $context->{md5_challenge},
> > > $main::hostname);
> > > $self->eap_request($p->{rp}, $context,
> > > $Radius::EAP::EAP_TYPE_MD5_CHALLENGE, $message);
> > > return ($main::CHALLENGE, 'EAP MD5-Challenge');
> > > }
> > >
> > > #####################################################################
> > > # Called by EAP.pm when an EAP Response (other than Identity)
> > > # is received
> > > # $id is the id of the received EAP response
> > > sub response
> > > {
> > > my ($classname, $self, $context, $p, $type, $typedata) = @_;
> > >
> > > # This should be a response to a challenge
> > > # we sent previously. The challenge is cached
> > > # in the challenges array, indexed by
> > > # challenge_id. The response should be the MD5 hash
> > > # the challenge_id, the password, the challenge
> > > my ($length, $response, $username) = unpack('C a16 a*', $typedata);
> > >
> > > # OK, now we need the user details to check the password
> > > my ($user, $result, $reason) =
> > > $self->get_user($context->{identity},
> > > $p);
> > > if ($user && $result == $main::ACCEPT)
> > > {
> > > my $correct_password = $user->get_check->get_attr('User-Password')
> > >
> > > || $user->get_check->get_attr('Password') ;
> > >
> > > my $correct_response = Digest::MD5::md5
> > > (chr($context->{this_id}) .
> > > $correct_password . $context->{md5_challenge});
> > >
> > > if ($correct_response eq $response)
> > > {
> > > $self->eap_success($p->{rp}, $context);
> > > # add extra reply attributes for user <== NEXT
> > > LINE IS THE LINE THAT'S MISSING WHICH CAUSES PROBLEM!
> > > $self->authoriseUser($user, $p);
> > > $self->adjustReply($p);
> > > return ($main::ACCEPT);
> > > }
> > > }
> > > $self->eap_failure($p->{rp}, $context);
> > > return ($main::REJECT, 'EAP MD5-Challenge failed');
> > > }
> > >
> > > 1;
> > >
> > > =====================================================
> > >
> > >
> > > -----Original Message-----
> > > From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
> > > Behalf Of engineering
> > > Sent: January 16, 2003 12:50 PM
> > > To: radiator at open.com.au
> > > Subject: Re: (RADIATOR) Problems with Colubris CN3000
> > >
> > >
> > > Denis,
> > >
> > > We are encountering a very similar (if not the same) problem. We are
> > > also
> > > testing with a Colubris CN3000 and do not see the Colubris-AVPair
> > > attributes
> > > reaching the CN3000. Our radiator logs do not display the
> > > Colubris-AVPair
> > > attributes at all.
> > >
> > > This is for Radiator 3.5.
> > >
> > > We went back to 3.3.1, and the Colubris-AVPair attributes
> > > seem to be getting through. The Radiator logs and the Colubris logs
> > > both
> > > attest to this.
> > >
> > >
> > > Rodney Ebersole
> > > Abbco Inc.
> > > phone: (814) 234-9420
> > > eMail: rebersole at abbcoinc.com
> > > IM: rebersoleabbcoinc [AIM, MSN, YAHOO]
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Denis Beauchemin" <Denis.Beauchemin at USherbrooke.ca>
> > > To: "Radiator" <radiator at open.com.au>
> > > Sent: Thursday, January 16, 2003 12:01 PM
> > > Subject: (RADIATOR) Problems with Colubris CN3000
> > >
> > >
> > > Hello,
> > >
> > > We are testing a Colubris CN3000 802.1x wireless access point and are
> > > having
> > > some problems with it. (see
> > > http://www.colubris.com/en/products/public_access/CN3000/ for more
> > > info).
> > >
> > > The biggest one is the HTTP URLs that don't seem to be sent to (or
> > > accepted
> > > by) the unit.
> > >
> > > Here is what I have in radius.cfg (I am using Radiator 3.5): <Client
> > > 132.210.X.Y>
> > > Secret oursecret
> > > Identifier colubris
> > > </Client>
> > > <Handler Client-Identifier=colubris>
> > > MaxSessions 1
> > > WtmpFileName %L/wtmp
> > > AcctLogFileName %L/accounting
> > > # PasswordLogFileName %L/password.log
> > > <AuthBy DBFILE>
> > > AutoMPPEKeys Yes
> > > AddToReply Service-Type = Framed-User,\
> > > MS-MPPE-Encryption-Policy = Encryption-Allowed,\
> > > MS-MPPE-Encryption-Types = Encryption-Any,\
> > > Framed-Protocol = PPP,\
> > > Framed-IP-Netmask = 255.255.255.255,\
> > > Framed-Routing = None,\
> > > Framed-MTU = 1500,\
> > > Colubris-AVPair =
> > > "login-url=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > > login.jsp?log
> > > inurl=%l",\
> > > Colubris-AVPair =
> > > "session-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > > session.ht
> > > ml",\
> > > Colubris-AVPair =
> > > "transport-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > > transpor
> > > t.html",\
> > > Colubris-AVPair =
> > > "fail-page=https://somewhere.USherbrooke.ca:8443/java/colubris/
> > > fail.html",\
> > > Colubris-AVPair =
> > > "logo=https://somewhere.USherbrooke.ca:8443/java/colubris/logo.gif",\
> > > Colubris-AVPair =
> > > "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,8443",\
> > > Colubris-AVPair =
> > > "access-list=carrefour,ACCEPT,tcp,132.210.X.Y,80"
> > > Filename %D/usersdb
> > > RcryptKey our key
> > > </AuthBy>
> > > AuthLog Defaut
> > > </Handler>
> > >
> > > This is what I added to dictionary:
> > > VENDOR Colubris 8744
> > > VENDORATTR 8744 Colubris-AVPair 0 string
> > > ATTRIBUTE Colubris-AVPair 0 string
> > >
> > > The Colubris-AVPair don't seem to get to the CN3000 when it logs on.
> > >
> > > Any ideas? I'm pretty sure I made a mistake in one of Radiator's conf
> > > files.
> > >
> > > Thanks!
> > > --
> > > Denis Beauchemin, analyste
> > > Université de Sherbrooke, S.T.I.
> > > T: 819.821.8000x2252 F: 819.821.8045
> > >
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> > >
> > >
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
> > >
> > >
> > > ===
> > > Archive at http://www.open.com.au/archives/radiator/
> > > Announcements on radiator-announce at open.com.au
> > > To unsubscribe, email 'majordomo at open.com.au' with
> > > 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list