Re: [PATCH] libradius: Always Include Authenticator

From: Paul Querna <pquerna_at_apache.org>
Date: Wed, 06 Jul 2005 08:52:59 -0700
Brian Candler wrote:
> On Tue, Jul 05, 2005 at 12:32:58PM -0700, Paul Querna wrote:
> 
>>The attached patch will always include the Authenticator Field, in all 
>>RADIUS packets, not just accounting packets.  This is a SHOULD violation 
>>from the RFC.
> 
> 
> I don't understand this. If you're talking about RFC 2865, which bit exactly
> are you referring to?
> 

Sorry, this is my misunderstanding of the RFC.  I thought that an 
authenticator should of been generated with the same method for both 
access requests and account requests.

> As far as I can see, the function insert_request_authenticator() generates
> the authenticator by hashing all the attributes within the request plus the
> shared secret. This is the correct behaviour for accounting requests (only).
> Your patch wrongly applies this to Access-Request as well.
> 
> In Access-Request packets, the Request Authenticator should be a *random*
> number (RFC2865 section 3, page 15), and this is already done by
> rad_create_request()
> 
> So, can you describe more precisely how and why you think the current
> behaviour is wrong?

The behavior I am seeing is that this random number is _always_ the same.

>>I found this problem fixing a bug for my mod_auth_xradius[1].  It 
>>appears that some commercial RADIUS authentication servers will reject 
>>packets with identical Authenticator fields as duplicates.
> 
> 
> But these RADIUS servers, even if they detect a duplicate, are required to
> send the same response as they did to the original request.
> 
> Is the packet actually a duplicate, or is it a different authentication
> request? If it's different, then it should have a different random
> authenticator. Are you saying that the random number generator is giving the
> same answer each time? If so then it's a seeding problem. I see that
> srandomdev() is called in rad_auth_open though.

Different authentication requests.  All have the same authenticator.

Looking closely, it appears the root cause was a problem when I ported 
the code to Linux.  Linux doesn't have a srandomdev() :)

Sorry for the noise, I made a mistake.

-Paul
Received on Wed Jul 06 2005 - 13:53:00 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:38 UTC