(RADIATOR) Weird behavior.
Mike McCauley
mikem at open.com.au
Thu Feb 23 17:13:41 CST 2006
HEllo Sergio,
On Friday 24 February 2006 07:43, Sergio Alejandro Gonzalez Z (S2010) wrote:
> Hello:
>
> I found a kind of DOS that must had been prevented with
> usernamecharset. I would like to know if there is something
> wrong with my config.
Your config looks OK, and tests here (with AuthBy LDAP2) show that it does
what you expect:
Fri Feb 24 09:10:05 2006: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 36912 ....
Code: Access-Request
Identifier: 80
Authentic: 1234567890123456
Attributes:
User-Name = "*<9>*"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
User-Password =
<159><249>:<201><175>\<4><246><188>8<9><160><216>}x<153>
Fri Feb 24 09:10:05 2006: DEBUG: Rewrote user name to * *
Fri Feb 24 09:10:05 2006: DEBUG: Rewrote user name to *
Fri Feb 24 09:10:05 2006: DEBUG: Rewrote user name to *
Fri Feb 24 09:10:05 2006: DEBUG: Rewrote user name to *
Fri Feb 24 09:10:05 2006: DEBUG: Rewrote user name to *
Fri Feb 24 09:10:05 2006: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Fri Feb 24 09:10:05 2006: INFO: Access rejected for *: Invalid character
in User-Name
Are you sure you are looking at the right config file?
What version of Radiator are you using?
Cheers.
>
> I got at the beginning of my config file:
>
>
> Trace 4
>
> DbDir /etc/radiator
> LogDir /tmp
> LogFile %L/Radiator-%d%v%Y.log
> DictionaryFile %D/dictionary
> UsernameCharset a-zA-Z0-9\/\.\_\@\-\^\+
>
> BindAddress a.b.c.d
>
> AuthPort xxxx
> AcctPort xxxx
>
> RewriteUsername s/\%/\@/
> RewriteUsername s/\*+//;
> RewriteUsername s/\s*\Z//;
> RewriteUsername s/\\/9/
> RewriteUsername s/^([0-9]{10,11}\Z)/$1\@DOMAIN/
>
>
> So with the usernamecharset I asure there wont be any other
> characters than the ones I expect in such list.
> Unfortunately I found this in the log file:
>
> *** Received from k.l.m.n port xxxx ....
> Code: Access-Request
> Identifier: 126
> Authentic: XXXXXXXXXXXXXXXXXXXXX
> Attributes:
> User-Name = "*<9>*"
> User-Password = "XXXXXXXXXXX"
> NAS-Port = 682
> NAS-Port-Type = Async
> Calling-Station-Id = "XXXXXXXXXXXXXXX"
> Called-Station-Id = "XXXXXXXXXXXXXX"
> Service-Type = Login-User
> NAS-IP-Address = k.l.m.n
>
> Thu Feb 23 12:23:06 2006: DEBUG: Rewrote user name to * *
> Thu Feb 23 12:23:06 2006: DEBUG: Rewrote user name to *
> Thu Feb 23 12:23:06 2006: DEBUG: Rewrote user name to *
> Thu Feb 23 12:23:06 2006: DEBUG: Rewrote user name to *
> Thu Feb 23 12:23:06 2006: DEBUG: Rewrote user name to *
>
>
> As you can see, the username charset didn't make the trick
> and leave the username with an *. The real problem is I'm
> authenticating against an LDAP server (among other things)
> with MANY branches (it's really big), so the * cause a user
> binding for ALL the users in ALL the branches. Radiator
> couldn't make it, and crashed.
>
> I already made another rewriteusername that deals with the
> remaining *, but, the question is, why usernamecharset
> didn't catch the bad username?
>
>
> Best regards.
>
>
> Sergio Gonzalez
> IT Engineer.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list