Hi people. I'm posting this in case it can be useful to anybody that wants
to do the same as me.
At the moment is the only way I found to make FreeRADIUS to proxy packets to
a Cisco Secure ACS. I know it's a dumb patch, it is simply an "if" wich
ignores the check of attribute "Message-Authenticator" for
Accounting-Response packets. Anyway I wanted to test it as far as I could.
By now it was working from last Thursday up to now, and without problems.
I hope some day an RFC arrives to bring light to de darkness of this
attribute.
I only want to clarify that this is not an specific issue that I came
across. It's a gereric issue between FreeRADIUS and Cisco.
This is the patch file I used in the radius.c code:
# cat freeradius.patch
diff -Naur freeradius-1.0.5-patched/src/lib/radius.c
freeradius-1.0.5/src/lib/radius.c
--- freeradius-1.0.5-patched/src/lib/radius.c 2005-09-16
09:39:53.345956517 -0300
+++ freeradius-1.0.5/src/lib/radius.c 2005-08-19 16:43:46.000000000 -0300
@@ -669,7 +669,7 @@
memset ((char *) &salocal, '\0', sizeof (salocal));
salocal.sin_family = AF_INET;
salocal.sin_addr.s_addr = packet->src_ipaddr;
-
+
return sendfromto(packet->sockfd, packet->data,
(int)packet->data_len, 0,
(struct sockaddr *)&salocal,
sizeof(struct sockaddr_in),
(struct sockaddr *)&saremote,
sizeof(struct sockaddr_in));
@@ -1198,23 +1198,15 @@
break;
}
- /* Patch by Martin Arrieta and Paolo Rotela.
- * Ignores Message-Authenticator in Accounting
Response packets
- * Because RFCs doesn't specify how to calculate
it.
- * It prevents Dropping packets when proxying
Accounting-Requests
- * to Cisco Secure ACS and possibily other
implementations.
- */
- if (packet->code != PW_ACCOUNTING_RESPONSE) {
- lrad_hmac_md5(packet->data,
packet->data_len,
- secret, strlen(secret),
calc_auth_vector);
- if (memcmp(calc_auth_vector,
msg_auth_vector,
- sizeof(calc_auth_vector)) != 0)
{
- char buffer[32];
- librad_log("Received packet
from %s with invalid Message-Authenticator! (Shared secret is incorrect.)",
- ip_ntoa(buffer,
packet->src_ipaddr));
- return -1;
- } /* else the message authenticator was good
*/
- }
+ lrad_hmac_md5(packet->data, packet->data_len,
+ secret, strlen(secret),
calc_auth_vector);
+ if (memcmp(calc_auth_vector, msg_auth_vector,
+ sizeof(calc_auth_vector)) != 0) {
+ char buffer[32];
+ librad_log("Received packet from %s with
invalid Message-Authenticator! (Shared secret is incorrect.)",
+ ip_ntoa(buffer,
packet->src_ipaddr));
+ return -1;
+ } /* else the message authenticator was good */
/*
* Reinitialize Authenticators.
----- Original Message -----
From: "Thor Spruyt" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Sent: Thursday, September 15, 2005 5:58 PM
Subject: Re: FreeRadius Proxying and Message-Authenticator
Alan DeKok wrote:
"Paolo Rotela" <[EMAIL PROTECTED]> wrote:
So you are implementing YOUR radius to support YOUR PROPOSED
method... well it seems some propietary...
If one wants control over a project, one should start his own project.
It's clear to everybody that FreeRadius is widely used because it's strong
and serves a general purpose (not to mention that it's free).
So if one needs something specific to one's needs, one should contribute
and
hope that the project coordinators will see a general benefit.
Please do not reply... I just wanted to give Alan some credit, so that the
FreeRadius project will continue to evolve like it has before.
--
Groeten, Regards, Salutations,
Thor Spruyt
M: +32 (0)475 67 22 65
E: [EMAIL PROTECTED]
W: www.thor-spruyt.com
www.salesguide.be
www.telenethotspot.be
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
