[RADIATOR] Message-Authenticator Attribute

Renfer Stefan Stefan.Renfer at comfone.com
Mon Nov 12 09:28:33 CST 2012


Hi,

 

We're using the Radiator 4.10 as proxy for EAP-SIM authentication. We're
aggregating 802.1x capable Wi-Fi networks on one side and proxy the
requests to a EAP-SIM Gateway. This works fine with the current networks
that we've connected, but in my opinion the content of the
Message-Authenticator attribute is wrong (maybe I have a wrong
understanding in the definition of the RFC2869) and we may face an issue
when we connect a network that does a proper check on the content of
this attribute.

 

According to the RFC2869 the Message-Authenticator is defined as 

 

Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request
Authenticator, Attributes)

 

And therefore the Message-Authenticator should be recalculate on a proxy
as some of those are different,  but it doesn't as you can see in the
logs below:

 

Request from Client and forward to EAP-SIM Gateway

 

Mon Nov 12 15:59:45 2012 776032: DEBUG: Packet dump:

*** Received from 10.80.100.20 port 15449 ....

Code:       Access-Request

Identifier: 249

Authentic:  <247><22>wO<168><169>v<136>2C<130><12><231>8<220><198>

Attributes:

        User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"

        NAS-IP-Address = 10.50.121.1

        NAS-Port = 0

        Called-Station-Id = "32-09-0F-48-1D-27:WiFi Key2roam"

        Calling-Station-Id = "00-1B-63-D2-87-8D"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-IEEE-802-11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
<2><2><0><28><18><11><0><0><11><5><0><0><229><145><227><23><209>2<251>oZ
_<177><134><27>n<12>|

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator = <134>y+ku<186><190>g<146><131>tv{}*<138>

 

Mon Nov 12 15:59:45 2012 776739: DEBUG: Handling request with Handler
'Realm=wlan.mncXXX.mccXXX.3gppnetwork.org', Identifier ''

Mon Nov 12 15:59:45 2012 777210: DEBUG:  Deleting session for
1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org, 0.0.0.1, 0

Mon Nov 12 15:59:45 2012 777529: DEBUG: Handling with Radius::AuthRADIUS

Mon Nov 12 15:59:45 2012 779075: DEBUG: Packet dump:

*** Sending to 87.198.157.22 port 1812 ....

Code:       Access-Request

Identifier: 4

Authentic:  <247><22>wO<168><169>v<136>2C<130><12><231>8<220><198>

Attributes:

        User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"

        NAS-Port = 0

       Called-Station-Id = "32-09-0F-48-1D-27:WiFi Key2roam"

        Calling-Station-Id = "00-1B-63-D2-87-8D"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-IEEE-802-11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message =
<2><2><0><28><18><11><0><0><11><5><0><0><229><145><227><23><209>2<251>oZ
_<177><134><27>n<12>|

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator = <134>y+ku<186><190>g<146><131>tv{}*<138>

        NAS-IP-Address = 0.0.0.1

Response from EAP-SIM Gateway and forward to Client

 

Mon Nov 12 15:59:45 2012 779498: DEBUG: AuthBy RADIUS result: IGNORE,

Mon Nov 12 15:59:46 2012 050564: DEBUG: Received reply in AuthRADIUS for
req 4 from 87.198.157.22:1812

Mon Nov 12 15:59:46 2012 051846: DEBUG: Packet dump:

*** Received from 87.198.157.22 port 1812 ....

Code:       Access-Accept

Identifier: 4

Authentic:  <155>W3n`;<237><255>F<170><29>Vp<191><236>p

Attributes:

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator =
s<198>h<167>O<217><253><226>/<251><8><225>p<18><226><241>

        EAP-Message = <3><0><0><4>

        User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"

        Chargeable-User-Identity = "01:XXXXXXXXXXXXXXX"

        MS-MPPE-Recv-Key =
"<139><237>m<154><247><173><143><231><200><22><162>.<139>CO<11>b<205><21
9><18>U<237>;<186><201><187>_9<196><127><238><0>"

        MS-MPPE-Send-Key =
"<241>'z<180><140><142>^G<143><21>M<133><232><224><4><213><244>\<164><14
7>/<132><23>z*<182><149><143>H@<179><17>"

        MS-MPPE-Encryption-Policy = Encryption-Allowed

        MS-MPPE-Encryption-Types = Encryption-Any

 

Mon Nov 12 15:59:46 2012 052266: DEBUG: Access accepted for
1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org

Mon Nov 12 15:59:46 2012 054133: DEBUG: Packet dump:

*** Sending to 10.80.100.20 port 15449 ....

Code:       Access-Accept

Identifier: 249

Authentic:  %<156><249><179><133><3>i<246>KR<185><178><24><176><215>t

Attributes:

        State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"

        Message-Authenticator =
s<198>h<167>O<217><253><226>/<251><8><225>p<18><226><241>

        EAP-Message = <3><0><0><4>

        User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"

        Chargeable-User-Identity = "01:XXXXXXXXXXXXXXX"

       MS-MPPE-Recv-Key =
"<139><237>m<154><247><173><143><231><200><22><162>.<139>CO<11>b<205><21
9><18>U<237>;<186><201><187>_9<196><127><238><0>"

        MS-MPPE-Send-Key =
"<241>'z<180><140><142>^G<143><21>M<133><232><224><4><213><244>\<164><14
7>/<132><23>z*<182><149><143>H@<179><17>"

        MS-MPPE-Encryption-Policy = Encryption-Allowed

        MS-MPPE-Encryption-Types = Encryption-Any

 

As said before, currently this works for our setup, but we may face an
issue in the future (or I just misinterpreted the RFC wrongly). Attached
to this mail you'll find a stripped configuration file that may needs to
be adapted. Thanks for your support!

 

Have a nice day!

Kind regards

 

Stefan Renfer

 

Comfone AG

Nussbaumstrasse 25

P.O. Box

3000 Bern 22

Switzerland

 

Phone:  +41 31 341 13 64

Fax:     +41 31 341 11 01

Mobile: +41 78 708 55 38

Email:   stefan.renfer at comfone.com

Web:    www.comfone.com <http://www.comfone.com> 

 

NOTICE - This message contains information intended only for the use of
those addressees named above. It may also be confidential and/or
privileged. If you are not the intended recipient of this message you
are hereby notified that you must not disseminate, copy or take any
action in reliance on it. If you have received this message in error
please notify the sender.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20121112/6ffb42e6/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap-sim_proxy_config.cfg.txt
Url: http://www.open.com.au/pipermail/radiator/attachments/20121112/6ffb42e6/attachment-0001.txt 


More information about the radiator mailing list