(RADIATOR) Re: About Packet of Disconnect

Hugh Irvine hugh at open.com.au
Mon May 12 21:34:56 CDT 2003 

Ciao Giuseppe -

Thanks for your note.

There are now patches available on the web site with the POD fixes.

grazie

Hugo


On Tuesday, May 13, 2003, at 02:19 Australia/Melbourne, Giuseppe Denora 
wrote:

> Hi Hugh and Mick,
>
> if you wanna use radpwtst to send a POD request you should follow the 
> following steps:
>
>
> 1) modify the method assemble_packet in Radius.pm in the following 
> lines:
>
>      889         if $code eq 'Accounting-Request' ;
>    becomes        899         if $code eq 'Accounting-Request' || 
> $code eq 'Disconnect-Request';
>
>
>    and
>
>   926             || $code eq 'Accounting-Response'
>
>   becomes
>
>   926             || $code eq 'Accounting-Response' || $code eq 
> 'Disconnect-Request'
>
>
> This because in the POD request the Authenticator must be  calculated 
> employing the same algorithm
> as the one used for Accounting-Requests (draft-chiba 
> radius-dynamic-authorization-01.txt),
> while radpwtst always send 1234567890123456 as Authenticatator in the 
> Access-Requests.
>
>
> 2) use this of part of your radius file configuration:
>
>        <Client 127.0.0.1>
>                  Secret SAME_SECRET_AS_POD_SERVE
>        </Client>
>
>
>
>        <Handler Class = POD>
>                PreAuthHook file:"%D/stripClassPOD"
>                <AuthBy RADIUS>
>                    Host xxx.yyy.ttt.zzz
>                    Secret xxxxx
>                    AuthPort 1700
>                    AcctPort 1700
>               </AuthBy>
>     </Handler>
>
>
> where  1700 is the default port for the POD Server (the cisco NAS)
> and SAME_SECRET_AS_POD_SERVER is the secret of the POD Server
>
> 3) with "aaa pod server auth-type any server-key 
> SAME_SECRET_AS_POD_SERVER"
> use radpwtst in this way :
>
>    radpwtst -code Disconnect-Request  Class=POD -noacct -noauth 
> -secret SAME_SECRET_AS_POD_SERVER User-Name=xxxxx
>
>    or
>
>   radpwtst -code Disconnect-Request  Class=POD -noacct -noauth -secret 
> SAME_SECRET_AS_POD_SERVER Acct-Session-Id=xxxxx
>
>    or
>
>   radpwtst -code Disconnect-Request  Class=POD -noacct -noauth -secret 
> SAME_SECRET_AS_POD_SERVER Framed-IP_Address=aaa.bbb.ccc.ddd
>    or
>
>   radpwtst -code Disconnect-Request  Class=POD -noacct -noauth -secret 
> SAME_SECRET_AS_POD_SERVER Session-Svr-Key=acccfffgg
>
>
> DON'T USE
>
> radpwtst -code Disconnect-Request  Class=POD -noacct -noauth -secret 
> SAME_SECRET_AS_POD_SERVER username=xxxxx
>
> radpwtst -code Disconnect-Request  Class=POD -noacct -noauth -secret 
> SAME_SECRET_AS_POD_SERVER session_id=xxxxx
>
> We tested the POD on AS5300, IOS 12.2-11.t2 for VOIP application with 
> success. PAY Attention: the destination port for the ACK packet is
> different from the source port of the POD Packet (this a bug of 
> CISCO!).
>
>
> Bye
>
>
>
>
>
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list