(RADIATOR) tunnel-password questions
PREVOSTO, Laurent
Laurent.PREVOSTO at neufcegetel.fr
Thu Sep 22 05:00:36 CDT 2005
Hi,
Bonjour,
I have the following situation :
Old crappy NAS <----> radiator proxy <----> old crappy SMC
I have problems concerning the tunnel password reply-item so I'd like to
verify a few things concerning the way radiator handles it :
1. if SMC sends back encrypted tunnel-password and I don't use
PlainTextTunnelPassword, I have the following
*** Received from SMC port 1812 ....
Code: Access-Accept
Identifier: 2
Authentic: oc<202>Xx4<176><187><21><252>9<250><189><149><150><132>
Attributes:
Proxy-State = OSC-Extended-Id=2
Class = "<128><141><128><128>"
Service-Type = Framed-User
Tunnel-Type = 1:L2TP
Tunnel-Medium-Type = 1:IP
Tunnel-Client-Endpoint = 1:xxxx
Tunnel-Server-Endpoint = 1:yyyy
Tunnel-Password =
"<1><255><212><1>A<174><133><8><29>"28&<202>>[<200><3><165>"
Tue Sep 20 18:18:03 2005: DEBUG: Received reply in AuthRADIUS for req 2
from 192.168.162
.120:1812
Tue Sep 20 18:18:03 2005: DEBUG: Access accepted for zzzz at demo.fr
Tue Sep 20 18:18:03 2005: DEBUG: Packet dump:
*** Sending to NAS port 32839 ....
Code: Access-Accept
Identifier: 228
Authentic: 1234567890123456
Attributes:
Class = "<128><141><128><128>"
Service-Type = Framed-User
Tunnel-Type = 1:L2TP
Tunnel-Medium-Type = 1:IP
Tunnel-Client-Endpoint = 1:xxxx
Tunnel-Server-Endpoint = 1:yyyy
Tunnel-Password = "<1><201><183><139>a<251><134>b
<131>B<192><7><9>X<187><248>fa
"
So it looks like radiator decrypts then reencrypts Tunnel-Password.
Moreover, I have to use the "string" type in the dictionary (as
documented) and NOT tagged-string since it seems to mess things up.
Am I right ?
2. if SMC sends back encrypted tunnel-password and I do use
PlainTextTunnelPassword, I have the following
*** Received from SMC port 1812 ....
Code: Access-Accept
Identifier: 1
Authentic:
<244>_<149><215><251>;<175>O<250><194><165><30><173><31><240>#
Attributes:
Proxy-State = OSC-Extended-Id=1
Class = "<128><141><128><128>"
Service-Type = Framed-User
Tunnel-Type = 1:L2TP
Tunnel-Medium-Type = 1:IP
Tunnel-Client-Endpoint = 1:xxxx
Tunnel-Server-Endpoint = 1:yyyy
Tunnel-Password =
"<1><175>.<213>8<165><7><26><223><163><16><164>L<231><188>[<25
0>fM"
Tue Sep 20 18:19:12 2005: DEBUG: Received reply in AuthRADIUS for req 1
from 192.168.162
.120:1812
Tue Sep 20 18:19:12 2005: DEBUG: Access accepted for zzzz at demo.fr
Tue Sep 20 18:19:12 2005: DEBUG: Packet dump:
*** Sending to NAS port 32839 ....
Code: Access-Accept
Identifier: 42
Authentic: 1234567890123456
Attributes:
Class = "<128><141><128><128>"
Service-Type = Framed-User
Tunnel-Type = 1:L2TP
Tunnel-Medium-Type = 1:IP
Tunnel-Client-Endpoint = 1:xxxx
Tunnel-Server-Endpoint = 1:yyyy
Tunnel-Password =
"<1><175>.<213>8<165><7><26><223><163><16><164>L<231><188>[<25
0>fM"
So it looks like if radiator receives an encrypted Tunnel-Password, he
will send it encrypted (but unchanged) even if ClearTextTunnelPassword
is set.
Once again, am I right ?
In that very case, is there a way radiator sends back the
Tunnel-Password as clear text ?
3. mixing ClearTextTunnelPassword and Handler
I can add ClearTextTunnelPassword in an <AuthBy Radius> clause and it
works fine (if the Tunnel-Password is not received encrypted, as in 2.)
But it looks like I can't put it in an <Handler> clause, so I can't do
something like :
<Handler Realm=/foo/>
AuthBy Something
ClearTextTunnelPassword
AddToReply Tunnel-Password = 1:somepasswd
</Handler>
Plus writing :
<AuthBy whatever>
Identifier Something
ClearTextTunnelPassword
...
</AuthBy>
<Handler Realm=/foo/>
AuthBy Something
AddToReply Tunnel-Password = 1:somepasswd
</Handler>
Won't work either.
This is quite frustrating... is there a way to do such a thing ?
Regards,
Laurent
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list