[RADIATOR] NoEAP can result to wrong Accept
Heinrich Mislik
Heinrich.Mislik at univie.ac.at
Wed Apr 29 07:45:55 CDT 2009
Hello,
I am using Radiator-4.4-1.
while processing an EAP Inner-request like this:
Code: Access-Request
Identifier: UNDEF
Authentic: <171><139><167><243><5><146>8\<210>hh<172>[8<246><226>
Attributes:
EAP-Message = <2><11><0><3><1>bm
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
User-Name = "bm"
NAS-IP-Address = 131.130.230.5
NAS-Identifier = "Hades"
NAS-Port = 29
Calling-Station-Id = "00-1C-B3-72-E7-E6"
This was passed to several AuthBy-clauses including this:
<AuthBy SQL>
NoEAP
IgnoreAccounting
NoDefault
Include dblogin.cfg
AuthSelect SELECT passwd \
FROM dialin_auth \
WHERE username = RPAD(?,8)
AuthSelectParam %U
AuthColumnDef 0,Encrypted-Password, check
</AuthBy>
Although there is no password in the request, this resulted in
ACCEPT.
The reason is in AuthGeneric.pm sub checkAttributes, Line 1542:
# EAP passwords have already been checked
next if defined $p->getAttrByNum($Radius::Radius::EAP_MESSAGE);
I think this should be:
# EAP passwords have already been checked
next if defined $p->getAttrByNum($Radius::Radius::EAP_MESSAGE) &&
!$self->{NoEAP};
The same can happen in other checks as well.
Cheers
Heinrich
--
Heinrich Mislik
Zentraler Informatikdienst der Universitaet Wien
A-1010 Wien, Universitaetsstrasse 7
Tel.: (+43 1) 4277-14056, Fax: (+43 1) 4277-9140
More information about the radiator
mailing list