[RADIATOR] AuthRADSEC and radsecproxy are incompatible!

Ralf Paffrath paffrath at dfn.de
Mon Jul 15 03:07:12 CDT 2013


Hi,

anyway it's a bit proprietary that Radiator ignores the correct identifier in an Access-Reject packet.

The Identifier is also part of RFC2865:
Identifier
      The Identifier field is one octet, and aids in matching requests
      and replies.  The RADIUS server can detect a duplicate request if
      it has the same client source IP address and source UDP port and
      Identifier within a short span of time.

Freeradius has never complained about these Access-Reject packets generated by radsecproxy. 
Because these packages can be matched by the identifier. 

Also there is no doubt that radsexcproxy might violate RFC 2865 and Radiator violates RFC5997, 
it is always not very useful ignoring part of a standard header and insist on a Ext-Id to match an 
Access-Reject.

Best wishes
  Ralf
On Jul 15, 2013, at 9:35 AM, Karl Gaissmaier <karl.gaissmaier at uni-ulm.de> wrote:

> Hello,
> 
> Am 15.07.2013 09:27, schrieb Stefan Winter:
>> Hi,
>> 
>>> this may be true for Status-Server but not for the Access-Rejects
>>> generated by the radsecproxy. This has to be corrected by radsecproxy.
>>> 
>>> And yes, Radiator AuthRADSEC has to fix the problem with Status-Server.
>>> Both together are incompatible but often used together in eduroam.
>> 
>> Yes, the lack of returning Proxy-State when radsecproxy crafts its own
>> Rejects is definitely a problem of radsecproxy; it violates RFC2865,
>> section 5.33:
>> 
>> "     This Attribute is available to be sent by a proxy server to
>>       another server when forwarding an Access-Request and MUST be
>>       returned unmodified in the Access-Accept, Access-Reject or
>>       Access-Challenge."
>> 
>> I've sent a notice to the radsecproxy mailing list, notifying them of
>> the problem. I'm hoping to see a next release with a proper fix.
> 
> Thanks, you got the point and saved my day!
> 
> Best Regards
>     Charly
> -- 
> Karl Gaissmaier
> Universität Ulm / Germany
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

--
Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1, D - 10178 Berlin
Tel.: 030 88 42 99 23
Fax: 030 88 42 99 70
http://www.dfn.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4552 bytes
Desc: not available
Url : http://www.open.com.au/pipermail/radiator/attachments/20130715/5cdeac7d/attachment.bin 


More information about the radiator mailing list