[RADIATOR] Problems with Secret and SQLClientList

Herrmann, Daniel daniel.herrmann at igd.fraunhofer.de
Tue Sep 2 08:59:06 CDT 2014


Hello Heikki,

thanks so much for your answer.

> > However, the secret does not work. When  testing the authentification
> > with NTRadPing, Radiator answers to my (known) client, nevertheless
> > which secret I use. If I use "cisco", I get an answer, if I use
> > "7jnasdfjksa" I also get the answer. What can cause Radiator not to
> > check the secret sent among the request?
> 
> the response from Radiator should always be Access-Reject and NTRadPing
> should complain about bad response authenticator or something similar.
> 
> The Authenticator field in the request is used to encrypt the User-Password
> but it is not used to verify the request itself.

Doh! Thanks for your hint. We indeed never checked the password at all. Thus the secret was not taken into consideration. Stupid mistake.

As we are doing MAB authentication on switching devices, they usually send the MAC address of the attached host both as username and password. We thus changed the config like this:

--- 
AuthSelect select `mac`, `vlanid` from view_mabhosts where mac=upper(%0) AND nas_ip="%c"
AuthColumnDef   0, User-Password, check
AuthColumnDef   1, Tunnel-Private-Group-ID, reply
---

Thus the user password is checked, and requests from NAS with wrong secret are rejected, with "Bad Password" as message.

> 
> For verifying the request you should configure your RADIUS clients to send
> Message-Authenticator attribute. In addition, you can configure Radiator
> with RequireMessageAuthenticator Client flag to require the clients to use
> this attribute.

AFAIK most switching devices (including Cisco, commonly used here) does not support the message-authenticator attribute. However the solution above works now, thanks again!

Best regards
Daniel 



More information about the radiator mailing list