[RADIATOR] the authenticator in COA Ack not as rfc3576 described
Jack Ho
mr.jack.ho at gmail.com
Wed Aug 12 01:10:58 CDT 2009
Why is it that the authenticator in the COA Ack is the same as the
authenticator in the COA request?
in rfc 3576,
Response Authenticator
The Authenticator field in a Response packet (e.g. Disconnect-ACK,
Disconnect-NAK, CoA-ACK, or CoA-NAK) is called the Response
Authenticator, and contains a one-way MD5 hash calculated over a
stream of octets consisting of the Code, Identifier, Length, the
Request Authenticator field from the packet being replied to, and
the response Attributes if any, followed by the shared secret.
The resulting 16 octet MD5 hash value is stored in the
Authenticator field of the Response packet.
I am configuring my radiusd to ack all incoming coa requests
<Handler Request-Type = Change-Filter-Request>
<AuthBy INTERNAL>
DefaultResult accept
</AuthBy>
</Handler>
Here are the request and ack
No. Time Source Destination Protocol Info
1 0.000000 10.192.17.163 10.192.16.34 RADIUS
CoA-Request(43) (id=136, l=590)
Frame 1 (632 bytes on wire, 632 bytes captured)
Arrival Time: Aug 11, 2009 22:44:21.864816000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 632 bytes
Capture Length: 632 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: SunMicro_31:a1:05 (00:03:ba:31:a1:05), Dst:
3com_40:7f:52 (00:01:02:40:7f:52)
Destination: 3com_40:7f:52 (00:01:02:40:7f:52)
Address: 3com_40:7f:52 (00:01:02:40:7f:52)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
Address: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.192.17.163 (10.192.17.163), Dst:
10.192.16.34 (10.192.16.34)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 618
Identification: 0x1b27 (6951)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (0x11)
Header checksum: 0x2717 [correct]
[Good: True]
[Bad : False]
Source: 10.192.17.163 (10.192.17.163)
Destination: 10.192.16.34 (10.192.16.34)
User Datagram Protocol, Src Port: 53560 (53560), Dst Port: radius-dynauth (3799)
Source port: 53560 (53560)
Destination port: radius-dynauth (3799)
Length: 598
Checksum: 0xd7c1 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Radius Protocol
Code: CoA-Request (43)
Packet identifier: 0x88 (136)
Length: 590
Authenticator: B27FE9422D7B33E533221618C0EAE0F7
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: l=49 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=43 t=Unknown-Attribute(196):
706F6C6963652D636C6173732D7261746520444154412072...
Unknown-Attribute:
706F6C6963652D636C6173732D7261746520444154412072...
AVP: l=48 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=42 t=Unknown-Attribute(196):
6D657465722D636C6173732D726174652044415441207261...
Unknown-Attribute:
6D657465722D636C6173732D726174652044415441207261...
AVP: l=38 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=32 t=Unknown-Attribute(196):
706F6C6963652D636C6173732D6275727374204441544120...
Unknown-Attribute:
706F6C6963652D636C6173732D6275727374204441544120...
AVP: l=37 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=31 t=Unknown-Attribute(196):
6D657465722D636C6173732D627572737420444154412031...
Unknown-Attribute:
6D657465722D636C6173732D627572737420444154412031...
AVP: l=35 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=29 t=Unknown-Attribute(88):
64656661756C745F716F735F6D65746572696E675F706F6C...
Unknown-Attribute:
64656661756C745F716F735F6D65746572696E675F706F6C...
AVP: l=35 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=29 t=Unknown-Attribute(87):
64656661756C745F716F735F706F6C6963696E675F706F6C...
Unknown-Attribute:
64656661756C745F716F735F706F6C6963696E675F706F6C...
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(92):
Unknown-Attribute: <MISSING>
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(105):
Unknown-Attribute: <MISSING>
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(89):
Unknown-Attribute: <MISSING>
AVP: l=6 t=Idle-Timeout(28): 0
Idle-Timeout: 0
AVP: l=6 t=Session-Timeout(27): 0
Session-Timeout: 0
AVP: l=2 t=Filter-Id(11):
Filter-Id:
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(165):
Unknown-Attribute: <MISSING>
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(107):
Unknown-Attribute: <MISSING>
AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=6 t=Mcast-Receive(34): Unknown(0)
Mcast-Receive: Unknown (0)
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(90):
Unknown-Attribute: <MISSING>
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(156):
Unknown-Attribute: <MISSING>
AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=6 t=Mcast-MaxGroups(35): 0
Mcast-MaxGroups: 0
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(101):
Unknown-Attribute: <MISSING>
AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=6 t=Mcast-Send(33): Unknown(0)
Mcast-Send: Unknown (0)
AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=2 t=Unknown-Attribute(157):
Unknown-Attribute: <MISSING>
AVP: l=5 t=User-Name(1): joe
User-Name: joe
AVP: l=27 t=Acct-Session-Id(44): 0203FFFF38001BAD-487587C7
Acct-Session-Id: 0203FFFF38001BAD-487587C7
AVP: l=2 t=Class(25):
Class: <MISSING>
AVP: l=147 t=Class(25):
5242414B5F434C4153535F313A5974394D36744E466A4B65...
Class: 5242414B5F434C4153535F313A5974394D36744E466A4B65...
AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=6 t=Unknown-Attribute(113): 696E3A30
Unknown-Attribute: 696E3A30
AVP: l=13 t=Vendor-Specific(26) v=Redback(2352)
VSA: l=7 t=Unknown-Attribute(113): 6F75743A30
Unknown-Attribute: 6F75743A30
0000 00 01 02 40 7f 52 00 03 ba 31 a1 05 08 00 45 00 ... at .R...1....E.
0010 02 6a 1b 27 40 00 ff 11 27 17 0a c0 11 a3 0a c0 .j.'@...'.......
0020 10 22 d1 38 0e d7 02 56 d7 c1 2b 88 02 4e b2 7f .".8...V..+..N..
0030 e9 42 2d 7b 33 e5 33 22 16 18 c0 ea e0 f7 1a 31 .B-{3.3".......1
0040 00 00 09 30 c4 2b 70 6f 6c 69 63 65 2d 63 6c 61 ...0.+police-cla
0050 73 73 2d 72 61 74 65 20 44 41 54 41 20 72 61 74 ss-rate DATA rat
0060 65 2d 61 62 73 6f 6c 75 74 65 20 31 30 32 34 1a e-absolute 1024.
0070 30 00 00 09 30 c4 2a 6d 65 74 65 72 2d 63 6c 61 0...0.*meter-cla
0080 73 73 2d 72 61 74 65 20 44 41 54 41 20 72 61 74 ss-rate DATA rat
0090 65 2d 61 62 73 6f 6c 75 74 65 20 31 30 32 34 1a e-absolute 1024.
00a0 26 00 00 09 30 c4 20 70 6f 6c 69 63 65 2d 63 6c &...0. police-cl
00b0 61 73 73 2d 62 75 72 73 74 20 44 41 54 41 20 31 ass-burst DATA 1
00c0 32 38 30 30 30 1a 25 00 00 09 30 c4 1f 6d 65 74 28000.%...0..met
00d0 65 72 2d 63 6c 61 73 73 2d 62 75 72 73 74 20 44 er-class-burst D
00e0 41 54 41 20 31 32 38 30 30 30 1a 23 00 00 09 30 ATA 128000.#...0
00f0 58 1d 64 65 66 61 75 6c 74 5f 71 6f 73 5f 6d 65 X.default_qos_me
0100 74 65 72 69 6e 67 5f 70 6f 6c 69 63 79 1a 23 00 tering_policy.#.
0110 00 09 30 57 1d 64 65 66 61 75 6c 74 5f 71 6f 73 ..0W.default_qos
0120 5f 70 6f 6c 69 63 69 6e 67 5f 70 6f 6c 69 63 79 _policing_policy
0130 1a 08 00 00 09 30 5c 02 1a 08 00 00 09 30 69 02 .....0\......0i.
0140 1a 08 00 00 09 30 59 02 1c 06 00 00 00 00 1b 06 .....0Y.........
0150 00 00 00 00 0b 02 1a 08 00 00 09 30 a5 02 1a 08 ...........0....
0160 00 00 09 30 6b 02 1a 0c 00 00 09 30 22 06 00 00 ...0k......0"...
0170 00 00 1a 08 00 00 09 30 5a 02 1a 08 00 00 09 30 .......0Z......0
0180 9c 02 1a 0c 00 00 09 30 23 06 00 00 00 00 1a 08 .......0#.......
0190 00 00 09 30 65 02 1a 0c 00 00 09 30 21 06 00 00 ...0e......0!...
01a0 00 00 1a 08 00 00 09 30 9d 02 01 05 6a 6f 65 2c .......0....joe,
01b0 1b 30 32 30 33 46 46 46 46 33 38 30 30 31 42 41 .0203FFFF38001BA
01c0 44 2d 34 38 37 35 38 37 43 37 19 02 19 93 52 42 D-487587C7....RB
01d0 41 4b 5f 43 4c 41 53 53 5f 31 3a 59 74 39 4d 36 AK_CLASS_1:Yt9M6
01e0 74 4e 46 6a 4b 65 5a 4d 38 49 64 58 79 38 57 70 tNFjKeZM8IdXy8Wp
01f0 57 4c 68 41 74 43 4b 54 39 37 6c 32 43 72 66 44 WLhAtCKT97l2CrfD
0200 30 59 6d 45 36 34 66 36 69 32 5a 75 69 61 47 39 0YmE64f6i2ZuiaG9
0210 64 73 67 79 77 4e 48 49 67 79 6a 59 5a 49 4c 68 dsgywNHIgyjYZILh
0220 62 38 68 32 4e 4c 72 41 2b 38 65 65 78 38 70 6e b8h2NLrA+8eex8pn
0230 6d 62 48 49 6f 53 32 4a 76 6a 43 2f 57 76 53 48 mbHIoS2JvjC/WvSH
0240 6c 55 37 42 62 74 77 35 78 69 72 6a 41 44 55 35 lU7Bbtw5xirjADU5
0250 4e 77 6b 78 42 6c 51 53 68 54 47 61 36 49 3d 1a NwkxBlQShTGa6I=.
0260 0c 00 00 09 30 71 06 69 6e 3a 30 1a 0d 00 00 09 ....0q.in:0.....
0270 30 71 07 6f 75 74 3a 30 0q.out:0
�No. Time Source Destination Protocol Info
2 0.005135 10.192.16.34 10.192.17.163 RADIUS
CoA-ACK(44) (id=136, l=20)
Frame 2 (62 bytes on wire, 62 bytes captured)
Arrival Time: Aug 11, 2009 22:44:21.869951000
[Time delta from previous captured frame: 0.005135000 seconds]
[Time delta from previous displayed frame: 0.005135000 seconds]
[Time since reference or first frame: 0.005135000 seconds]
Frame Number: 2
Frame Length: 62 bytes
Capture Length: 62 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:radius]
[Coloring Rule Name: Checksum Errors]
[Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1
|| ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
Ethernet II, Src: 3com_40:7f:52 (00:01:02:40:7f:52), Dst:
SunMicro_31:a1:05 (00:03:ba:31:a1:05)
Destination: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
Address: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Source: 3com_40:7f:52 (00:01:02:40:7f:52)
Address: 3com_40:7f:52 (00:01:02:40:7f:52)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.192.16.34 (10.192.16.34), Dst:
10.192.17.163 (10.192.17.163)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 48
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x0379 [correct]
[Good: True]
[Bad : False]
Source: 10.192.16.34 (10.192.16.34)
Destination: 10.192.17.163 (10.192.17.163)
User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 53560 (53560)
Source port: radius-dynauth (3799)
Destination port: 53560 (53560)
Length: 28
Checksum: 0x3772 [incorrect, should be 0xd385 (maybe caused by
"UDP checksum offload"?)]
[Good Checksum: False]
[Bad Checksum: True]
Radius Protocol
Code: CoA-ACK (44)
Packet identifier: 0x88 (136)
Length: 20
Authenticator: B27FE9422D7B33E533221618C0EAE0F7
[This is a response to a request in frame 1]
[Time from request: 0.005135000 seconds]
0000 00 03 ba 31 a1 05 00 01 02 40 7f 52 08 00 45 00 ...1..... at .R..E.
0010 00 30 00 00 40 00 40 11 03 79 0a c0 10 22 0a c0 .0.. at .@..y..."..
0020 11 a3 0e d7 d1 38 00 1c 37 72 2c 88 00 14 b2 7f .....8..7r,.....
0030 e9 42 2d 7b 33 e5 33 22 16 18 c0 ea e0 f7 .B-{3.3"......
the authenticator in both request and response are the same
Authenticator: B27FE9422D7B33E533221618C0EAE0F7
any comment on this?
if i have to use a hook to workaround this, how should it be done.
i dont do a lot of hook programming.
thanks
jack
More information about the radiator
mailing list