[RADIATOR] the authenticator in COA Ack not as rfc3576 described
Mike McCauley
mikem at open.com.au
Wed Aug 12 06:51:55 CDT 2009
Hello Jack,
thanks for reporting this.
It was due to a bug in Raditor which has now been fixed in the latest patch
set.
We apologise for any inconvenience.
Cheers.
On Wednesday 12 August 2009 04:10:58 pm Jack Ho wrote:
> Why is it that the authenticator in the COA Ack is the same as the
> authenticator in the COA request?
>
> in rfc 3576,
>
> Response Authenticator
>
> The Authenticator field in a Response packet (e.g. Disconnect-ACK,
> Disconnect-NAK, CoA-ACK, or CoA-NAK) is called the Response
> Authenticator, and contains a one-way MD5 hash calculated over a
> stream of octets consisting of the Code, Identifier, Length, the
> Request Authenticator field from the packet being replied to, and
> the response Attributes if any, followed by the shared secret.
> The resulting 16 octet MD5 hash value is stored in the
> Authenticator field of the Response packet.
>
>
>
> I am configuring my radiusd to ack all incoming coa requests
>
> <Handler Request-Type = Change-Filter-Request>
> <AuthBy INTERNAL>
> DefaultResult accept
> </AuthBy>
> </Handler>
>
>
> Here are the request and ack
>
>
>
> No. Time Source Destination Protocol
> Info 1 0.000000 10.192.17.163 10.192.16.34 RADIUS
> CoA-Request(43) (id=136, l=590)
>
> Frame 1 (632 bytes on wire, 632 bytes captured)
> Arrival Time: Aug 11, 2009 22:44:21.864816000
> [Time delta from previous captured frame: 0.000000000 seconds]
> [Time delta from previous displayed frame: 0.000000000 seconds]
> [Time since reference or first frame: 0.000000000 seconds]
> Frame Number: 1
> Frame Length: 632 bytes
> Capture Length: 632 bytes
> [Frame is marked: False]
> [Protocols in frame: eth:ip:udp:radius]
> [Coloring Rule Name: UDP]
> [Coloring Rule String: udp]
> Ethernet II, Src: SunMicro_31:a1:05 (00:03:ba:31:a1:05), Dst:
> 3com_40:7f:52 (00:01:02:40:7f:52)
> Destination: 3com_40:7f:52 (00:01:02:40:7f:52)
> Address: 3com_40:7f:52 (00:01:02:40:7f:52)
> .... ...0 .... .... .... .... = IG bit: Individual address
> (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique
> address (factory default)
> Source: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
> Address: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
> .... ...0 .... .... .... .... = IG bit: Individual address
> (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique
> address (factory default)
> Type: IP (0x0800)
> Internet Protocol, Src: 10.192.17.163 (10.192.17.163), Dst:
> 10.192.16.34 (10.192.16.34)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 618
> Identification: 0x1b27 (6951)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 255
> Protocol: UDP (0x11)
> Header checksum: 0x2717 [correct]
> [Good: True]
> [Bad : False]
> Source: 10.192.17.163 (10.192.17.163)
> Destination: 10.192.16.34 (10.192.16.34)
> User Datagram Protocol, Src Port: 53560 (53560), Dst Port: radius-dynauth
> (3799) Source port: 53560 (53560)
> Destination port: radius-dynauth (3799)
> Length: 598
> Checksum: 0xd7c1 [correct]
> [Good Checksum: True]
> [Bad Checksum: False]
> Radius Protocol
> Code: CoA-Request (43)
> Packet identifier: 0x88 (136)
> Length: 590
> Authenticator: B27FE9422D7B33E533221618C0EAE0F7
> [The response to this request is in frame 2]
> Attribute Value Pairs
> AVP: l=49 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=43 t=Unknown-Attribute(196):
> 706F6C6963652D636C6173732D7261746520444154412072...
> Unknown-Attribute:
> 706F6C6963652D636C6173732D7261746520444154412072...
> AVP: l=48 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=42 t=Unknown-Attribute(196):
> 6D657465722D636C6173732D726174652044415441207261...
> Unknown-Attribute:
> 6D657465722D636C6173732D726174652044415441207261...
> AVP: l=38 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=32 t=Unknown-Attribute(196):
> 706F6C6963652D636C6173732D6275727374204441544120...
> Unknown-Attribute:
> 706F6C6963652D636C6173732D6275727374204441544120...
> AVP: l=37 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=31 t=Unknown-Attribute(196):
> 6D657465722D636C6173732D627572737420444154412031...
> Unknown-Attribute:
> 6D657465722D636C6173732D627572737420444154412031...
> AVP: l=35 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=29 t=Unknown-Attribute(88):
> 64656661756C745F716F735F6D65746572696E675F706F6C...
> Unknown-Attribute:
> 64656661756C745F716F735F6D65746572696E675F706F6C...
> AVP: l=35 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=29 t=Unknown-Attribute(87):
> 64656661756C745F716F735F706F6C6963696E675F706F6C...
> Unknown-Attribute:
> 64656661756C745F716F735F706F6C6963696E675F706F6C...
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(92):
> Unknown-Attribute: <MISSING>
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(105):
> Unknown-Attribute: <MISSING>
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(89):
> Unknown-Attribute: <MISSING>
> AVP: l=6 t=Idle-Timeout(28): 0
> Idle-Timeout: 0
> AVP: l=6 t=Session-Timeout(27): 0
> Session-Timeout: 0
> AVP: l=2 t=Filter-Id(11):
> Filter-Id:
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(165):
> Unknown-Attribute: <MISSING>
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(107):
> Unknown-Attribute: <MISSING>
> AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=6 t=Mcast-Receive(34): Unknown(0)
> Mcast-Receive: Unknown (0)
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(90):
> Unknown-Attribute: <MISSING>
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(156):
> Unknown-Attribute: <MISSING>
> AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=6 t=Mcast-MaxGroups(35): 0
> Mcast-MaxGroups: 0
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(101):
> Unknown-Attribute: <MISSING>
> AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=6 t=Mcast-Send(33): Unknown(0)
> Mcast-Send: Unknown (0)
> AVP: l=8 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=2 t=Unknown-Attribute(157):
> Unknown-Attribute: <MISSING>
> AVP: l=5 t=User-Name(1): joe
> User-Name: joe
> AVP: l=27 t=Acct-Session-Id(44): 0203FFFF38001BAD-487587C7
> Acct-Session-Id: 0203FFFF38001BAD-487587C7
> AVP: l=2 t=Class(25):
> Class: <MISSING>
> AVP: l=147 t=Class(25):
> 5242414B5F434C4153535F313A5974394D36744E466A4B65...
> Class: 5242414B5F434C4153535F313A5974394D36744E466A4B65...
> AVP: l=12 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=6 t=Unknown-Attribute(113): 696E3A30
> Unknown-Attribute: 696E3A30
> AVP: l=13 t=Vendor-Specific(26) v=Redback(2352)
> VSA: l=7 t=Unknown-Attribute(113): 6F75743A30
> Unknown-Attribute: 6F75743A30
>
> 0000 00 01 02 40 7f 52 00 03 ba 31 a1 05 08 00 45 00 ... at .R...1....E.
> 0010 02 6a 1b 27 40 00 ff 11 27 17 0a c0 11 a3 0a c0 .j.'@...'.......
> 0020 10 22 d1 38 0e d7 02 56 d7 c1 2b 88 02 4e b2 7f .".8...V..+..N..
> 0030 e9 42 2d 7b 33 e5 33 22 16 18 c0 ea e0 f7 1a 31 .B-{3.3".......1
> 0040 00 00 09 30 c4 2b 70 6f 6c 69 63 65 2d 63 6c 61 ...0.+police-cla
> 0050 73 73 2d 72 61 74 65 20 44 41 54 41 20 72 61 74 ss-rate DATA rat
> 0060 65 2d 61 62 73 6f 6c 75 74 65 20 31 30 32 34 1a e-absolute 1024.
> 0070 30 00 00 09 30 c4 2a 6d 65 74 65 72 2d 63 6c 61 0...0.*meter-cla
> 0080 73 73 2d 72 61 74 65 20 44 41 54 41 20 72 61 74 ss-rate DATA rat
> 0090 65 2d 61 62 73 6f 6c 75 74 65 20 31 30 32 34 1a e-absolute 1024.
> 00a0 26 00 00 09 30 c4 20 70 6f 6c 69 63 65 2d 63 6c &...0. police-cl
> 00b0 61 73 73 2d 62 75 72 73 74 20 44 41 54 41 20 31 ass-burst DATA 1
> 00c0 32 38 30 30 30 1a 25 00 00 09 30 c4 1f 6d 65 74 28000.%...0..met
> 00d0 65 72 2d 63 6c 61 73 73 2d 62 75 72 73 74 20 44 er-class-burst D
> 00e0 41 54 41 20 31 32 38 30 30 30 1a 23 00 00 09 30 ATA 128000.#...0
> 00f0 58 1d 64 65 66 61 75 6c 74 5f 71 6f 73 5f 6d 65 X.default_qos_me
> 0100 74 65 72 69 6e 67 5f 70 6f 6c 69 63 79 1a 23 00 tering_policy.#.
> 0110 00 09 30 57 1d 64 65 66 61 75 6c 74 5f 71 6f 73 ..0W.default_qos
> 0120 5f 70 6f 6c 69 63 69 6e 67 5f 70 6f 6c 69 63 79 _policing_policy
> 0130 1a 08 00 00 09 30 5c 02 1a 08 00 00 09 30 69 02 .....0\......0i.
> 0140 1a 08 00 00 09 30 59 02 1c 06 00 00 00 00 1b 06 .....0Y.........
> 0150 00 00 00 00 0b 02 1a 08 00 00 09 30 a5 02 1a 08 ...........0....
> 0160 00 00 09 30 6b 02 1a 0c 00 00 09 30 22 06 00 00 ...0k......0"...
> 0170 00 00 1a 08 00 00 09 30 5a 02 1a 08 00 00 09 30 .......0Z......0
> 0180 9c 02 1a 0c 00 00 09 30 23 06 00 00 00 00 1a 08 .......0#.......
> 0190 00 00 09 30 65 02 1a 0c 00 00 09 30 21 06 00 00 ...0e......0!...
> 01a0 00 00 1a 08 00 00 09 30 9d 02 01 05 6a 6f 65 2c .......0....joe,
> 01b0 1b 30 32 30 33 46 46 46 46 33 38 30 30 31 42 41 .0203FFFF38001BA
> 01c0 44 2d 34 38 37 35 38 37 43 37 19 02 19 93 52 42 D-487587C7....RB
> 01d0 41 4b 5f 43 4c 41 53 53 5f 31 3a 59 74 39 4d 36 AK_CLASS_1:Yt9M6
> 01e0 74 4e 46 6a 4b 65 5a 4d 38 49 64 58 79 38 57 70 tNFjKeZM8IdXy8Wp
> 01f0 57 4c 68 41 74 43 4b 54 39 37 6c 32 43 72 66 44 WLhAtCKT97l2CrfD
> 0200 30 59 6d 45 36 34 66 36 69 32 5a 75 69 61 47 39 0YmE64f6i2ZuiaG9
> 0210 64 73 67 79 77 4e 48 49 67 79 6a 59 5a 49 4c 68 dsgywNHIgyjYZILh
> 0220 62 38 68 32 4e 4c 72 41 2b 38 65 65 78 38 70 6e b8h2NLrA+8eex8pn
> 0230 6d 62 48 49 6f 53 32 4a 76 6a 43 2f 57 76 53 48 mbHIoS2JvjC/WvSH
> 0240 6c 55 37 42 62 74 77 35 78 69 72 6a 41 44 55 35 lU7Bbtw5xirjADU5
> 0250 4e 77 6b 78 42 6c 51 53 68 54 47 61 36 49 3d 1a NwkxBlQShTGa6I=.
> 0260 0c 00 00 09 30 71 06 69 6e 3a 30 1a 0d 00 00 09 ....0q.in:0.....
> 0270 30 71 07 6f 75 74 3a 30 0q.out:0
> �No. Time Source Destination Protocol
> Info 2 0.005135 10.192.16.34 10.192.17.163 RADIUS
> CoA-ACK(44) (id=136, l=20)
>
> Frame 2 (62 bytes on wire, 62 bytes captured)
> Arrival Time: Aug 11, 2009 22:44:21.869951000
> [Time delta from previous captured frame: 0.005135000 seconds]
> [Time delta from previous displayed frame: 0.005135000 seconds]
> [Time since reference or first frame: 0.005135000 seconds]
> Frame Number: 2
> Frame Length: 62 bytes
> Capture Length: 62 bytes
> [Frame is marked: False]
> [Protocols in frame: eth:ip:udp:radius]
> [Coloring Rule Name: Checksum Errors]
> [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1
>
> || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
>
> Ethernet II, Src: 3com_40:7f:52 (00:01:02:40:7f:52), Dst:
> SunMicro_31:a1:05 (00:03:ba:31:a1:05)
> Destination: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
> Address: SunMicro_31:a1:05 (00:03:ba:31:a1:05)
> .... ...0 .... .... .... .... = IG bit: Individual address
> (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique
> address (factory default)
> Source: 3com_40:7f:52 (00:01:02:40:7f:52)
> Address: 3com_40:7f:52 (00:01:02:40:7f:52)
> .... ...0 .... .... .... .... = IG bit: Individual address
> (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique
> address (factory default)
> Type: IP (0x0800)
> Internet Protocol, Src: 10.192.16.34 (10.192.16.34), Dst:
> 10.192.17.163 (10.192.17.163)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
> .... ..0. = ECN-Capable Transport (ECT): 0
> .... ...0 = ECN-CE: 0
> Total Length: 48
> Identification: 0x0000 (0)
> Flags: 0x04 (Don't Fragment)
> 0... = Reserved bit: Not set
> .1.. = Don't fragment: Set
> ..0. = More fragments: Not set
> Fragment offset: 0
> Time to live: 64
> Protocol: UDP (0x11)
> Header checksum: 0x0379 [correct]
> [Good: True]
> [Bad : False]
> Source: 10.192.16.34 (10.192.16.34)
> Destination: 10.192.17.163 (10.192.17.163)
> User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 53560
> (53560) Source port: radius-dynauth (3799)
> Destination port: 53560 (53560)
> Length: 28
> Checksum: 0x3772 [incorrect, should be 0xd385 (maybe caused by
> "UDP checksum offload"?)]
> [Good Checksum: False]
> [Bad Checksum: True]
> Radius Protocol
> Code: CoA-ACK (44)
> Packet identifier: 0x88 (136)
> Length: 20
> Authenticator: B27FE9422D7B33E533221618C0EAE0F7
> [This is a response to a request in frame 1]
> [Time from request: 0.005135000 seconds]
>
> 0000 00 03 ba 31 a1 05 00 01 02 40 7f 52 08 00 45 00 ...1..... at .R..E.
> 0010 00 30 00 00 40 00 40 11 03 79 0a c0 10 22 0a c0 .0.. at .@..y..."..
> 0020 11 a3 0e d7 d1 38 00 1c 37 72 2c 88 00 14 b2 7f .....8..7r,.....
> 0030 e9 42 2d 7b 33 e5 33 22 16 18 c0 ea e0 f7 .B-{3.3"......
>
>
>
> the authenticator in both request and response are the same
>
> Authenticator: B27FE9422D7B33E533221618C0EAE0F7
>
> any comment on this?
>
> if i have to use a hook to workaround this, how should it be done.
> i dont do a lot of hook programming.
>
> thanks
> jack
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list