[RADIATOR] Message-Authenticator Attribute
Renfer Stefan
Stefan.Renfer at comfone.com
Mon Nov 12 09:28:33 CST 2012
Hi,
We're using the Radiator 4.10 as proxy for EAP-SIM authentication. We're
aggregating 802.1x capable Wi-Fi networks on one side and proxy the
requests to a EAP-SIM Gateway. This works fine with the current networks
that we've connected, but in my opinion the content of the
Message-Authenticator attribute is wrong (maybe I have a wrong
understanding in the definition of the RFC2869) and we may face an issue
when we connect a network that does a proper check on the content of
this attribute.
According to the RFC2869 the Message-Authenticator is defined as
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request
Authenticator, Attributes)
And therefore the Message-Authenticator should be recalculate on a proxy
as some of those are different, but it doesn't as you can see in the
logs below:
Request from Client and forward to EAP-SIM Gateway
Mon Nov 12 15:59:45 2012 776032: DEBUG: Packet dump:
*** Received from 10.80.100.20 port 15449 ....
Code: Access-Request
Identifier: 249
Authentic: <247><22>wO<168><169>v<136>2C<130><12><231>8<220><198>
Attributes:
User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"
NAS-IP-Address = 10.50.121.1
NAS-Port = 0
Called-Station-Id = "32-09-0F-48-1D-27:WiFi Key2roam"
Calling-Station-Id = "00-1B-63-D2-87-8D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
<2><2><0><28><18><11><0><0><11><5><0><0><229><145><227><23><209>2<251>oZ
_<177><134><27>n<12>|
State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"
Message-Authenticator = <134>y+ku<186><190>g<146><131>tv{}*<138>
Mon Nov 12 15:59:45 2012 776739: DEBUG: Handling request with Handler
'Realm=wlan.mncXXX.mccXXX.3gppnetwork.org', Identifier ''
Mon Nov 12 15:59:45 2012 777210: DEBUG: Deleting session for
1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org, 0.0.0.1, 0
Mon Nov 12 15:59:45 2012 777529: DEBUG: Handling with Radius::AuthRADIUS
Mon Nov 12 15:59:45 2012 779075: DEBUG: Packet dump:
*** Sending to 87.198.157.22 port 1812 ....
Code: Access-Request
Identifier: 4
Authentic: <247><22>wO<168><169>v<136>2C<130><12><231>8<220><198>
Attributes:
User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"
NAS-Port = 0
Called-Station-Id = "32-09-0F-48-1D-27:WiFi Key2roam"
Calling-Station-Id = "00-1B-63-D2-87-8D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
<2><2><0><28><18><11><0><0><11><5><0><0><229><145><227><23><209>2<251>oZ
_<177><134><27>n<12>|
State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"
Message-Authenticator = <134>y+ku<186><190>g<146><131>tv{}*<138>
NAS-IP-Address = 0.0.0.1
Response from EAP-SIM Gateway and forward to Client
Mon Nov 12 15:59:45 2012 779498: DEBUG: AuthBy RADIUS result: IGNORE,
Mon Nov 12 15:59:46 2012 050564: DEBUG: Received reply in AuthRADIUS for
req 4 from 87.198.157.22:1812
Mon Nov 12 15:59:46 2012 051846: DEBUG: Packet dump:
*** Received from 87.198.157.22 port 1812 ....
Code: Access-Accept
Identifier: 4
Authentic: <155>W3n`;<237><255>F<170><29>Vp<191><236>p
Attributes:
State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"
Message-Authenticator =
s<198>h<167>O<217><253><226>/<251><8><225>p<18><226><241>
EAP-Message = <3><0><0><4>
User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"
Chargeable-User-Identity = "01:XXXXXXXXXXXXXXX"
MS-MPPE-Recv-Key =
"<139><237>m<154><247><173><143><231><200><22><162>.<139>CO<11>b<205><21
9><18>U<237>;<186><201><187>_9<196><127><238><0>"
MS-MPPE-Send-Key =
"<241>'z<180><140><142>^G<143><21>M<133><232><224><4><213><244>\<164><14
7>/<132><23>z*<182><149><143>H@<179><17>"
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = Encryption-Any
Mon Nov 12 15:59:46 2012 052266: DEBUG: Access accepted for
1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org
Mon Nov 12 15:59:46 2012 054133: DEBUG: Packet dump:
*** Sending to 10.80.100.20 port 15449 ....
Code: Access-Accept
Identifier: 249
Authentic: %<156><249><179><133><3>i<246>KR<185><178><24><176><215>t
Attributes:
State =
"Diameter/MyOriginHost/MyOriginRealm/aaa1.accuris-networks.com;135050626
2;32461_1"
Message-Authenticator =
s<198>h<167>O<217><253><226>/<251><8><225>p<18><226><241>
EAP-Message = <3><0><0><4>
User-Name =
"1XXXXXXXXXXXXXXX at wlan.mncXXX.mccXXX.3gppnetwork.org"
Chargeable-User-Identity = "01:XXXXXXXXXXXXXXX"
MS-MPPE-Recv-Key =
"<139><237>m<154><247><173><143><231><200><22><162>.<139>CO<11>b<205><21
9><18>U<237>;<186><201><187>_9<196><127><238><0>"
MS-MPPE-Send-Key =
"<241>'z<180><140><142>^G<143><21>M<133><232><224><4><213><244>\<164><14
7>/<132><23>z*<182><149><143>H@<179><17>"
MS-MPPE-Encryption-Policy = Encryption-Allowed
MS-MPPE-Encryption-Types = Encryption-Any
As said before, currently this works for our setup, but we may face an
issue in the future (or I just misinterpreted the RFC wrongly). Attached
to this mail you'll find a stripped configuration file that may needs to
be adapted. Thanks for your support!
Have a nice day!
Kind regards
Stefan Renfer
Comfone AG
Nussbaumstrasse 25
P.O. Box
3000 Bern 22
Switzerland
Phone: +41 31 341 13 64
Fax: +41 31 341 11 01
Mobile: +41 78 708 55 38
Email: stefan.renfer at comfone.com
Web: www.comfone.com <http://www.comfone.com>
NOTICE - This message contains information intended only for the use of
those addressees named above. It may also be confidential and/or
privileged. If you are not the intended recipient of this message you
are hereby notified that you must not disseminate, copy or take any
action in reliance on it. If you have received this message in error
please notify the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20121112/6ffb42e6/attachment-0001.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap-sim_proxy_config.cfg.txt
Url: http://www.open.com.au/pipermail/radiator/attachments/20121112/6ffb42e6/attachment-0001.txt
More information about the radiator
mailing list