Hi,
we have a lot of L2TP customers in production and in the loop.
All customers who tried to use freeradius for L2TP purposes
failed. At least without fixing the freeradius code.
Most of them migrated to cistron 1.6.5 which does support
Tunnel-Password encryption.
Some weeks ago I've heard from a customer that new freeradius
versions are better now with regard to L2TP Tunnel-Password
encryption.
But it was a mistake to believe this. Lately we run some tests
with freeradius 0.5 with the result that L2TP Tunnel-Password
encryption is still very buggy.
The bug of freeradius 0.5 we are seeing is the following.
The length field value of attribute 69 seems to be OK.
But the content of the string field (the encrypted password) is
rubbish. It is looking that the encrypted password is too short,
since the end of the string is filled with data of the next radius
attribute.
On Thu, 11 Apr 2002, Chris Parker wrote:
> Ahh, then possibly the NAS has not implemented the RFC standard
> tunnel encryption.
No, we see this in the snoop of the radius packets. So this is really
independent of the NAS/LAC or of any proxy.
Comparing freeradius pieces of code from 0.4 and 0.5, it's easy to
discover relevant differences. The code changes are related to the
password length!
freeradius-snapshot-20011205 (0.4)
----------------------------------
in radius.c:
int rad_tunnel_pwencode ...
...
char salt[2];
int i, n, secretlen;
int len;
if(pwlen < 2) {
return 0;
}
salt[0] = passwd[0];
salt[1] = passwd[1];
/* Advance pointer past the salt, which is first two chars of passwd */
passwd = passwd + 2;
/*
* Padd password to multiple of AUTH_PASS_LEN bytes.
*/
len = strlen(passwd);
...
freeradius 0.5
--------------
in radius.c
int rad_tunnel_pwencode ...
...
char salt[2];
int i, n, secretlen;
int len;
len = *pwlen;
if (len < 3) {
return 0;
}
salt[0] = passwd[0];
salt[1] = passwd[1];
/* Advance pointer past the salt, which is first two chars of passwd */
passwd = passwd + 2;
len -= 2;
*passwd = len;
/*
* Padd password to multiple of AUTH_PASS_LEN bytes.
*/
if (len > 128) len = 128;
---------------------------------------------------------------
On Wed, 10 Apr 2002, Chris Parker wrote:
> > > I know that it is working at least with Funk
> > > SteelBelted Radius in terms of interoperability.
> > > FreeRADIUS also works with cisco and Ascend NAS that
> > > I've tested with ( in setting up L2TP via radius ).
1) Freeradius 0.5 packet snoops prove that freeradius is
sending buggy attribute 69 packets.
2) Freeradius Tunnel-Password encryption code of version 0.4
and version 0.5 has been changed.
We have a lot of customers in the loop who are interested in L2TP services.
Cistron 1.6.5 (http://www.radius.cistron.nl) has been certified for L2TP.
Other radius as well, such as radiator (http://www.open.com.au/radiator).
It has been always a little bit painful to migrate all of them from freeradius
to another radius server.
It might be that there is a specific (snapshot) version between 0.4 and 0.5 which
is OK. If so, which one?
If not, when could we expect to get a freeradius version which does support Tunnel-
Password encryption correctly?
I would volunteer to test this version.
Regards,
Thorsten Wystrychowski
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
