[RADIATOR] Authenticator check et calculation

Laurent Duru laurent.duru at lugos.fr
Fri Mar 8 16:00:21 UTC 2019


Hi All,

We faced an issue with wrong authenticator on answers sent by Radiator.
In our design, client source IP is NATed, here is an example of radius.cfg client configuration for discussion :

<Client REAL_CLIENT_IP >
        Secret azerty
        Identifier CLIENT
</Client>

<Client DEFAULT>
        Secret qwerty
        Identifier Default
</Client>

REAL_CLIENT_IP is NATed to NAT_CLIENT_IP

When receiving Access Request with authenticator from NAT_CLIENT_IP, our radiator accepts the request and send an access-accept. That means the authenticator check is OK and that the usage of the secret “azerty is OK. I think radiator is checking client on NAS-IP-ADDRESS and not IP header address.

When creating authenticator for the answer which IP is used ? and then is it “azerty” or “qwerty” that is used as secret ?
To have a working config we had to add :
<Client NAT_CLIENT_IP>
        Secret azerty
        Identifier CLIENT
</Client>

Seems to mean radiator is using IP header address to calculate the answer and not NAS-IP-ADDRESS.

Does anybody faced the same and can confirm ?

Have a nice week-end,

Regards,

Laurent DURU
Lugos, Expertise Réseaux, Métrologie & Sécurité
https://www.lugos.fr
M: +33 6 28 09 88 94
laurent.duru at lugos.fr<mailto:laurent.duru at lugos.fr>
Adoptez l’éco-attitude.  N’imprimez ce mail que si c’est vraiment nécessaire.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190308/f34d8d4a/attachment.html>


More information about the radiator mailing list