(RADIATOR) diameter to radius access request conversion creates undefined Authenticator field

Mike McCauley mikem at open.com.au
Tue Mar 20 15:48:00 CST 2007


Hello Blake,

thanks for reporting this and the complete supporting documentation.
There was indeed a problem with the authenticator in requests derived from 
Diameter requests. It has now been fixed in the latest Radiator patch set.

We apologise for any inconvenience, and thanks again for reporting it.

Cheers.

On Wednesday 21 March 2007 04:36, Blake Ulmer wrote:
> Hello,
>
> My environment is using Radiator 3.16 (tried using both rpm and patched
> UNIX install) on RHEL4 for diameter to radius conversion.  I've tried
> googling around, searching through the archives, looking through docs,
> and haven't been able to find any information about the problem I'm
> having.  Forgive me if this is something simple that I'm missing.
>
> I'm using diapwtst (simply, "perl diapwtst -user <user> -password
> <password>") to send a diameter access request to Radiator, have
> Radiator convert it to a radius request, and send it off to a third
> party radius server for acceptance/rejection.  The problem is, once the
> diameter conversion takes place, the resulting radius access request
> contains an undefined 'Authentic' (authenticator) field, and so the
> radius server rejects it (bad password).
>
> My radiusd config file is the default "diameter-server.cfg" file that
> comes with this 3.16, with a few changes.  First, I commented out all
> TLS related things.  Secondly, I added an entry to allow a specific
> realm to proxy my request to my radius server:
>
> <Realm hal9002.com>
>     <AuthBy RADIUS>
>         Host hal9002
>         AuthPort 1812
>         AcctPort 1813
>         Secret <secret>
>         StripFromRequest Timestamp,GRIC-Timestamp
>     </AuthBy>
> </Realm>
>
> I will also post below this a snippet of the TRACE logs according to
> radiusd for the request.
>
> Proxying basic radius requests works fine using radpwtst to create the
> requests, when running radiusd with a radius only config file, and the
> above Realm entry.  I even copied $p->setauthenticator() from radpwtst
> into an appropriate place in ServerDIAMETER.pm to give the converted
> request a hard-coded authenticator and the access request is accepted
> using diapwtst.
>
> So, my round and about question is, is there a reason the authenticator
> is not being set (UNDEF) when the diameter request is converted?  Is
> there a setting in the diameter-server.cfg file I'm missing?
>
> I'm fairly sure that the Authenticator field is required in the radius
> rfc, as it is used for hashing the password, so I don't think the radius
> server I'm using is being too strict on accepting the request.
>
> If anyone can point out what I'm missing, or what the deal is, that
> would be great.
>
> Thank you,
> Blake Ulmer
>
>
> ************************************************************************
> ********
> Tue Mar 20 13:35:26 2007: DEBUG: zulu.open.com.au <- testoriginhost
> recv_v1msg:
>   Code:           265 (AA)
>   Version:        1
>   Flags:          0x80 (R)
>   Application ID: 1 (Nasreq)
>   Hop-to-Hop ID:  1
>   End-to-End ID:  3050307585
>   Attributes:
>     Session-Id: 64, testoriginhost;1234;1,
>     Auth-Application-Id: 64, 1,
>     Origin-Host: 64, testoriginhost,
>     Origin-Realm: 64, testoriginrealm,
>     Destination-Realm: 64, testdestrealm,
>     Auth-Request-Type: 64, AUTHORIZE_AUTHENTICATE,
>     User-Name: 64, bob at hal9002.com,
>     User-Password: 64, <pw>,
>     Called-Station-Id: 64, 123456789,
>     Calling-Station-Id: 64, 987654321,
>     NAS-Port: 64, 1234,
> Tue Mar 20 13:35:26 2007: DEBUG: StateMachine::event R-Rcv-Message in
> state R-Open. Calling Process
> Tue Mar 20 13:35:26 2007: DEBUG: zulu.open.com.au Process
> Tue Mar 20 13:35:26 2007: DEBUG: Packet dump:
> *** Diameter request converted to Radius request ....
> Code:       Access-Request
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
>         NAS-Identifier = "testoriginhost"
>         User-Name = "bob at hal9002.com"
>         User-Password = <pw>
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port = 1234
>
> Tue Mar 20 13:35:26 2007: DEBUG: Handling request with Handler
> 'Realm=hal9002.com'
> Tue Mar 20 13:35:26 2007: DEBUG:  Deleting session for bob at hal9002.com,
> 127.0.0.1, 1234
> Tue Mar 20 13:35:26 2007: DEBUG: Handling with Radius::AuthRADIUS
> Tue Mar 20 13:35:26 2007: DEBUG: AuthBy RADIUS creates new local socket
> '0.0.0.0' for sending requests
> Tue Mar 20 13:35:26 2007: DEBUG: Packet dump:
> *** Sending to 192.168.3.248 port 1812 ....
>
> Packet length = 99
> 01 01 00 63 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 20 10 74 65 73 74 6f 72 69 67 69 6e
> 68 6f 73 74 01 11 62 6f 62 40 68 61 6c 39 30 30
> 32 2e 63 6f 6d 02 12 64 ad 7b 80 ce f7 78 f3 a8
> a3 f8 3b 4b 7e 46 49 1e 0b 31 32 33 34 35 36 37
> 38 39 1f 0b 39 38 37 36 35 34 33 32 31 05 06 00
> 00 04 d2
> Code:       Access-Request
> Identifier: 1
> Authentic:  UNDEF
> Attributes:
>         NAS-Identifier = "testoriginhost"
>         User-Name = "bob at hal9002.com"
>         User-Password = <encrypted pw>
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port = 1234
> ************************************************************************
> ********

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list