[RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests
Karl Gaissmaier
karl.gaissmaier at uni-ulm.de
Sun Jul 14 03:30:59 CDT 2013
Hi radiator team,
still debugging the nasty bug between radsecproxy and Radiator in
the eduroam connection between uni-ulm.de and radiusX.dfn.de, sigh!
I have the problem with 'AuthBy RADSEC', where always extendid IDs are
used. If someone is stripping/mangling the Proxy-State, the reply can't
be mapped to the request and the warning is printed:
> WARNING: Unknown reply received in AuthRADSEC for request from 127.0.0.1:2083
The missing request Id can't mapped, therefore the additional blank in
the warning between 'request <> from'.
There is never a PacketTrace so see the buggy answer. A patch will come
soon to dump this, but wait and read to the end of my message.
Now I looked for the Radiator behavior for AuthBy RADIUS with
extended Ids and stripping Proxy-State. Wondering, it worked!
... But only for the first 256 Requests (8-Bits, 0xff mask in code)
and after that I got the same/similar warning:
> WARNING: Unknown reply received in AuthRADIUS for request 0 from 127.0.0.1:1900
...
> WARNING: Unknown reply received in AuthRADIUS for request 1 from 127.0.0.1:1900
You see, now the request Id is used from the 8-Bit Packet-Identifier,
but could notbe mapped to the Proxy-State ExtendedId, since the 8 Bits
wrapped:
> Proxy-State = OSC-Extended-Id=256
...
> Proxy-State = OSC-Extended-Id=257
This is not optimal, since it works for a while after starting radiusd
and after 256 requests you get spurious errors.
Please fix this, if you UseExtendedIds in AuthBy RADIUS you should
always WARN if the Proxy-State is stripped or mangled.
And sure, we need better packet dumps in this case to see the
sent/missing/mangled attributes in the reply packet.
Best Regards
Charly
--
Karl Gaissmaier
Universität Ulm / Germany
More information about the radiator
mailing list