Brian Candler wrote: > On Tue, Jul 05, 2005 at 12:32:58PM -0700, Paul Querna wrote: > >>The attached patch will always include the Authenticator Field, in all >>RADIUS packets, not just accounting packets. This is a SHOULD violation >>from the RFC. > > > I don't understand this. If you're talking about RFC 2865, which bit exactly > are you referring to? > Sorry, this is my misunderstanding of the RFC. I thought that an authenticator should of been generated with the same method for both access requests and account requests. > As far as I can see, the function insert_request_authenticator() generates > the authenticator by hashing all the attributes within the request plus the > shared secret. This is the correct behaviour for accounting requests (only). > Your patch wrongly applies this to Access-Request as well. > > In Access-Request packets, the Request Authenticator should be a *random* > number (RFC2865 section 3, page 15), and this is already done by > rad_create_request() > > So, can you describe more precisely how and why you think the current > behaviour is wrong? The behavior I am seeing is that this random number is _always_ the same. >>I found this problem fixing a bug for my mod_auth_xradius[1]. It >>appears that some commercial RADIUS authentication servers will reject >>packets with identical Authenticator fields as duplicates. > > > But these RADIUS servers, even if they detect a duplicate, are required to > send the same response as they did to the original request. > > Is the packet actually a duplicate, or is it a different authentication > request? If it's different, then it should have a different random > authenticator. Are you saying that the random number generator is giving the > same answer each time? If so then it's a seeding problem. I see that > srandomdev() is called in rad_auth_open though. Different authentication requests. All have the same authenticator. Looking closely, it appears the root cause was a problem when I ported the code to Linux. Linux doesn't have a srandomdev() :) Sorry for the noise, I made a mistake. -PaulReceived on Wed Jul 06 2005 - 13:53:00 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:38 UTC