[RADIATOR] Authenticator check et calculation

Laurent Duru laurent.duru at lugos.fr
Wed Mar 20 06:43:20 UTC 2019 

Hello Dubravko,

Sorry for the delay, I was out of office,

I have no error in the trace 5, the request is handled and the response sent , please see anonymized logs of a NOK accept : 

Thu Mar 14 14:43:13 2019: DEBUG: Packet dump:
*** Received from 100.X.X.X port 46830 ....

Packet length = 385
[...]

]Code:       Access-Request
Identifier: 111
Authentic:  <223>~<251>y+<135><209><199><11><235><10><22><16><241><22>n
Attributes:
	User-Name = "Clt000778-001 at operateur.dop"
	CHAP-Password = <1>w<233><31><139><191>
	CHAP-Challenge = <223>~<251>y+<135>><22><16><241><22>n
	NAS-Port = 42410
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Calling-Station-Id = "c0:67:af:bf:d6:20"
	NAS-Identifier = "92per1-r0b0"
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "slot=0;subslot=0;port=10;vlanid=1450"
	Acct-Session-Id = "92per1-190314134958a241754500114"
	Huawei-Startup-Stamp = 1342055654
	Huawei-IPHost-Addr = "255.255.255.255 c0:67:af:bf:d6:20"
	Huawei-Connect-ID = 114
	Huawei-Version = "Huawei SmartAX MA5200 Software Version 2.10 RELEASE 7212"
	Huawei-Domain-Name = "l2tpmax"
	NAS-IP-Address = 84.96.Y.Y
	Proxy-State = OSC-Extended-Id=1135

Thu Mar 14 14:43:13 2019: DEBUG: Handling request with Handler 'Realm="operateur.dop"', Identifier ''
Thu Mar 14 14:43:13 2019: DEBUG:  Deleting session for Clt000778-001 at operateur.dop, 84.96.Y.Y, 42410
Thu Mar 14 14:43:13 2019: DEBUG: do query to 'dbi:mysql:radmin:RAD1-POP Connection id: 0-00000': 'delete from RADONLINE where NASIDENTIFIER='84.96.Y.Y' and NASPORT=042410': 
Thu Mar 14 14:43:13 2019: DEBUG: Handling with Radius::AuthRADMIN: MYSQL1
Thu Mar 14 14:43:13 2019: DEBUG: Handling with Radius::AuthRADMIN: MYSQL1
Thu Mar 14 14:43:13 2019: DEBUG: Query to 'dbi:mysql:radmin:RAD1-POP Connection id: 0-00000': 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDT
O from RADUSERS where USERNAME='Clt000778-001 at operateur.dop'': 
Thu Mar 14 14:43:13 2019: DEBUG: Query to 'dbi:mysql:radmin:RAD1-POP Connection id: 0-00000': 'select ATTR_ID, VENDOR_ID, IVALUE, SVALUE, ITEM_TYPE from RADCONFIG where NAME='Clt000778-001 at o
peratel.dop' order by ITEM_TYPE': 
Thu Mar 14 14:43:13 2019: DEBUG: Radius::AuthRADMIN looks for match with Clt000778-001 at operateur.dop [Clt000778-001 at operateur.dop]
Thu Mar 14 14:43:13 2019: DEBUG: Query to 'dbi:mysql:radmin:RAD1-POP Connection id: 0-00000': 'select NASIDENTIFIER, NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNAME='Cl
t000778-001 at operateur.dop'': 
Thu Mar 14 14:43:13 2019: DEBUG: ValidFrom date converted to: 1543916499
Thu Mar 14 14:43:13 2019: DEBUG: Expiration date converted to: 2147483647
Thu Mar 14 14:43:13 2019: DEBUG: do query to 'dbi:mysql:radmin:RAD1-POP Connection id: 0-00000': 'update RADUSERS set BADLOGINS=0 where USERNAME='Clt000778-001 at operateur.dop'': 
Thu Mar 14 14:43:13 2019: DEBUG: Radius::AuthRADMIN ACCEPT: : Clt000778-001 at operateur.dop [Clt000778-001 at operateur.dop]
Thu Mar 14 14:43:13 2019: DEBUG: AuthBy RADMIN result: ACCEPT, 
Thu Mar 14 14:43:13 2019: DEBUG: Access accepted for Clt000778-001 at operateur.dop
Thu Mar 14 14:43:13 2019: DEBUG: do query to 'dbi:mysql:radmin:RAD1-POP Connection id: 0-00000': 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (1552570993, 'Clt000778-001 at operateur.dop', 1)': 

Thu Mar 14 14:43:13 2019: DEBUG: Packet dump:
*** Sending to 100.X.X.X port 46830 ....

Packet length = 192
02 [...]
Code:       Access-Accept
Identifier: 111
Authentic:  <165><127><131>g0<244>m<169>=bj`<228><138><213>m
Attributes:
	Proxy-State = OSC-Extended-Id=1135
	Tunnel-Server-Endpoint = 1:62.39.X.X
	Tunnel-Assignment-ID = 1:62.39.X.X
	Framed-Protocol = PPP
	Tunnel-Medium-Type = 1:IP
	Service-Type = Framed-User
	Tunnel-Type = 1:L2TP
	Tunnel-Password = "1:password"
	Tunnel-Preference = 1:1
	Tunnel-Server-Endpoint = 2:62.39.X.X
	Tunnel-Assignment-ID = 2:62.39.X.X
	Tunnel-Medium-Type = 2:IP
	Tunnel-Type = 2:L2TP
	Tunnel-Password = "2:password"
	Tunnel-Preference = 2:2

The questions are :
1) Does radiator check authenticator in received request and based on which IP (header or other attribute)
2) Which IP is used to generate MD5 Hash of Authenticator to send responses.


Laurent DURU
Lugos, Expertise Réseaux, Métrologie & Sécurité
https://www.lugos.fr
M: +33 6 28 09 88 94
laurent.duru at lugos.fr
Adoptez l’éco-attitude.  N’imprimez ce mail que si c’est vraiment nécessaire.
 

On 11/03/2019 07:35, "Dubravko Penezic" <dpenezic at srce.hr> wrote:

    Hi Laurent,
    
    did you check what said RADIATOR when receive RADIUS request package ,
    first few line with Trace 5 ?
    
    Regards,
    Dubravko Penezic
    
    On 3/8/19 5:00 PM, Laurent Duru wrote:
    > Hi All,
    > 
    >  
    > 
    > We faced an issue with wrong authenticator on answers sent by Radiator.
    > 
    > In our design, client source IP is NATed, here is an example of
    > radius.cfg client configuration for discussion :
    > 
    >  
    > 
    > <Client REAL_CLIENT_IP >
    > 
    >         Secret azerty
    > 
    >         Identifier CLIENT
    > 
    > </Client>
    > 
    >  
    > 
    > <Client DEFAULT>
    > 
    >         Secret qwerty
    > 
    >         Identifier Default
    > 
    > </Client>
    > 
    >  
    > 
    > REAL_CLIENT_IP is NATed to NAT_CLIENT_IP
    > 
    >  
    > 
    > When receiving Access Request with authenticator from NAT_CLIENT_IP, our
    > radiator accepts the request and send an access-accept. That means the
    > authenticator check is OK and that the usage of the secret “azerty is
    > OK. I think radiator is checking client on NAS-IP-ADDRESS and not IP
    > header address.
    > 
    >  
    > 
    > When creating authenticator for the answer which IP is used ? and then
    > is it “azerty” or “qwerty” that is used as secret ?
    > 
    > To have a working config we had to add :
    > 
    > <Client NAT_CLIENT_IP>
    > 
    >         Secret azerty
    > 
    >         Identifier CLIENT
    > 
    > </Client>
    > 
    >  
    > 
    > Seems to mean radiator is using IP header address to calculate the
    > answer and not NAS-IP-ADDRESS.
    > 
    >  
    > 
    > Does anybody faced the same and can confirm ?
    > 
    >  
    > 
    > Have a nice week-end,
    > 
    >  
    > 
    > Regards,
    > 
    >  
    > 
    > *Laurent DURU*
    > 
    > *Lugos*, Expertise Réseaux, Métrologie & Sécurité
    > 
    > https://www.lugos.fr
    > 
    > M: +33 6 28 09 88 94
    > 
    > laurent.duru at lugos.fr <mailto:laurent.duru at lugos.fr>
    > 
    > Adoptez l’éco-attitude.  N’imprimez ce mail que si c’est vraiment
    > nécessaire.
    > 
    >  
    > 
    > 
    > _______________________________________________
    > radiator mailing list
    > radiator at lists.open.com.au
    > https://lists.open.com.au/mailman/listinfo/radiator
    > 
    
    -- 
    Dubravko Penezic
    Sektor za posrednicke sustave i podatkovne usluge
    Sveuciliste u Zagrebu, Sveucilisni racunski centar (Srce),
    www.srce.unizg.hr
    Dubravko.Penezic at srce.hr, tel: +385 1 616 5555, fax: +385 1 616 5559

More information about the radiator mailing list