[RADIATOR] Authenticator check et calculation

Heikki Vatiainen hvn at open.com.au
Mon Mar 25 14:45:21 UTC 2019 

On 20/03/2019 8.43, Laurent Duru wrote:

> Thu Mar 14 14:43:13 2019: DEBUG: Packet dump:
> *** Sending to 100.X.X.X port 46830 ....
> 
> Packet length = 192
> 02 [...]
> Code:       Access-Accept
> Identifier: 111
> Authentic:  <165><127><131>g0<244>m<169>=bj`<228><138><213>m
> Attributes:
> 	Proxy-State = OSC-Extended-Id=1135
> 	Tunnel-Server-Endpoint = 1:62.39.X.X
> 	Tunnel-Assignment-ID = 1:62.39.X.X
> 	Framed-Protocol = PPP
> 	Tunnel-Medium-Type = 1:IP
> 	Service-Type = Framed-User
> 	Tunnel-Type = 1:L2TP
> 	Tunnel-Password = "1:password"
> 	Tunnel-Preference = 1:1
> 	Tunnel-Server-Endpoint = 2:62.39.X.X
> 	Tunnel-Assignment-ID = 2:62.39.X.X
> 	Tunnel-Medium-Type = 2:IP
> 	Tunnel-Type = 2:L2TP
> 	Tunnel-Password = "2:password"
> 	Tunnel-Preference = 2:2
> 
> The questions are :
> 1) Does radiator check authenticator in received request and based on which IP (header or other attribute)

It does not check authenticator, that is 'Authentic: ...' field in the 
request. If there was a Message-Authenticator attribute, that would be 
checked. In Access-Request the Authenticator goes unchanged over 
proxies. It's not (re-)calculated on hop-by-hop basis.

Note: in your case there was no User-Password that is encrypted 
hop-by-hop basis. For this reason the Access-Request did not cause a 
password check error.

Note: RFC that defines Message-Authenticator attribute recommends using 
it with requets that have CHAP-Password.
https://tools.ietf.org/html/rfc2869#section-7.1

> 2) Which IP is used to generate MD5 Hash of Authenticator to send responses.

In this case it's the secret shared with the <Client ...> clause that 
matched IP 100.X.X.X.

If there's a NAT involved and the request was received from the IP 
address of NAT, this IP is used as the Client IP. In other words, in 
case of NAT, <Client ...> that was used was the one that matched NAT's 
address.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list