[RADIATOR] Authenticator check et calculation

Dubravko Penezic dpenezic at srce.hr
Mon Mar 11 06:35:55 UTC 2019 

Hi Laurent,

did you check what said RADIATOR when receive RADIUS request package ,
first few line with Trace 5 ?

Regards,
Dubravko Penezic

On 3/8/19 5:00 PM, Laurent Duru wrote:
> Hi All,
> 
>  
> 
> We faced an issue with wrong authenticator on answers sent by Radiator.
> 
> In our design, client source IP is NATed, here is an example of
> radius.cfg client configuration for discussion :
> 
>  
> 
> <Client REAL_CLIENT_IP >
> 
>         Secret azerty
> 
>         Identifier CLIENT
> 
> </Client>
> 
>  
> 
> <Client DEFAULT>
> 
>         Secret qwerty
> 
>         Identifier Default
> 
> </Client>
> 
>  
> 
> REAL_CLIENT_IP is NATed to NAT_CLIENT_IP
> 
>  
> 
> When receiving Access Request with authenticator from NAT_CLIENT_IP, our
> radiator accepts the request and send an access-accept. That means the
> authenticator check is OK and that the usage of the secret “azerty is
> OK. I think radiator is checking client on NAS-IP-ADDRESS and not IP
> header address.
> 
>  
> 
> When creating authenticator for the answer which IP is used ? and then
> is it “azerty” or “qwerty” that is used as secret ?
> 
> To have a working config we had to add :
> 
> <Client NAT_CLIENT_IP>
> 
>         Secret azerty
> 
>         Identifier CLIENT
> 
> </Client>
> 
>  
> 
> Seems to mean radiator is using IP header address to calculate the
> answer and not NAS-IP-ADDRESS.
> 
>  
> 
> Does anybody faced the same and can confirm ?
> 
>  
> 
> Have a nice week-end,
> 
>  
> 
> Regards,
> 
>  
> 
> *Laurent DURU*
> 
> *Lugos*, Expertise Réseaux, Métrologie & Sécurité
> 
> https://www.lugos.fr
> 
> M: +33 6 28 09 88 94
> 
> laurent.duru at lugos.fr <mailto:laurent.duru at lugos.fr>
> 
> Adoptez l’éco-attitude.  N’imprimez ce mail que si c’est vraiment
> nécessaire.
> 
>  
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
> 

-- 
Dubravko Penezic
Sektor za posrednicke sustave i podatkovne usluge
Sveuciliste u Zagrebu, Sveucilisni racunski centar (Srce),
www.srce.unizg.hr
Dubravko.Penezic at srce.hr, tel: +385 1 616 5555, fax: +385 1 616 5559

More information about the radiator mailing list