retailnext / node-radius Goto Github PK

Just registering an issue for future consideration.

While implementing PEAP Authentication I ran into an issue:

TypeError: "value" argument is out of bounds
    at Object.Radius.encode_attributes (/opt/radius_server/node_modules/radius/lib/radius.js:875:12)

I was able to debug it and figured that I shouldnt be attempting to send a 1499 byte PEAP response that includes a SSL cert in an attribute value that only supports 255 bytes.

That being said, doing a sanity check that the attribute value length is greater than what is supported and telling the user it doesnt fit would be helpful.

In this instance the TLS message CAN be sent in 253 byte fragments so I'll be breaking it up and sending it that way.

Hi,
Password above 16 characters can't get decoded.
This is a result of field.length being over 16(32).
I really need help with this one, any suggestions?

It should be calculated the same way as for an Accounting-Request, per RFC 3576. Blindly replacing all the

if (XYZ == 'Accounting-Request')

with

if (XYZ == 'Accounting-Request' || XYZ == 'Disconnect-Request')

worked for me.

There is a length limit of attribute length of 256 chars. If more than that, the code failes with the following error:
value is out of bounds
at TypeError ()
at checkInt (buffer.js:784:11)
at Buffer.writeUInt8 (buffer.js:794:5)
at Object.Radius.encode_attributes (radius/lib/radius.js:850:12)
at Object.Radius.encode_attributes (radius/lib/radius.js:832:29)
at Object.Radius._encode_with_authenticator (radius/lib/radius.js:699:20)
at Object.Radius.encode (radius/lib/radius.js:662:15)

Can this limit be removed? We have to send much bigger length.

We are developing Guest WiFi Solutions So we want to do authentication & accounting too. also want Speed control & Time duration. Can we use it in these purpose ?.. We want Radius into node js with Mongodb database backend .

Hello!
does node-radius supports EAP packets now ?

If a packet contains an attribute with a tag all following attributes have also the same tag, even if these attributes have no tag accordingly to the radius RFC.

The problem is caused by the fact, that the tag variable is not reset if no has_tag element is found in the attr_inf, see here. Therefore the tag is applied to all following attributes as long as no attribute with a has_tag and no specified tag is found.

Hi,
I am able to load the dictionary with vendor specific attributes in radius server. I can receive the vendor specific attributes in a response in the form of "raw_attributes" but not as a value of attributes object with 'Vendor-Specific' key

server-encoding response:

var response = radius.encode_response({
packet: packet,
code: code,
secret: secret,
attributes: [
// ['NAS-IP-Addess', '10.5.5.5'],
['User-Name', 'rajiv'],
['User-Password', 'Ltrx12345'],
['Vendor-Specific', 14988, [['Mikrotik-Wireless-PSK', 'shiva']]]
]
});

client-decoded packet data:

{ code: 'Access-Accept',
identifier: 0,
length: 58,
authenticator: <Buffer eb c1 e2 81 72 0a bc db 20 ce 18 c6 24 ef 12 9e>,
attributes:
{ 'User-Name': 'rajiv',
'User-Password': 'A�\u0013��t7��\u001c���F�9',
'Vendor-Specific': {} },
raw_attributes:
[ [ 1, <Buffer 72 61 6a 69 76> ],
[ 2, <Buffer 1d 12 74 44 c1 cc 36 e0 e9 7c 32 7f 25 8c 0a e9> ],
[ 26, <Buffer 00 00 3a 8c 10 07 73 68 69 76 61> ] ] }

I want to know the exact format of decoded response with 'Vendor-Specific' attributes. How do I form the server encoding response to get the values as 'Vendor-Specific' attributes in the decoded response(when will be 'Venodor-Specific' attribute value get fulfilled). Please guide I am unable find it out.

Dear colleague developer,

We (my team and I) are using your radius library for a while now and I must say we are very happy with it.
It work very fast and gets the job done. We use it to process thousands of requests per minute and it does it like a boss.

A couple of weeks ago we started working on implementing webRTC in one of our web applications.
To get it working we send a JWT (JSON Webtoken) token to our SIP server (Brekeke) along with the register request using the JsSIP javascript library.
We do this because we don't want to show the password of the SIP account in plain text in our client-side application. We use the Vendor-Specific attributes (dictionaries) to pass this JWT token to our node radius process. We then validate the JWT token in our authentication process after we decoded the RADIUS packet using your library. This worked fine and we could register the SIP account and make calls and everything.

But here comes the problem. We noticed that sometimes our SIP server sends malformed RADIUS packets to our radius service (random). And we know we have to fix this on our side but something happened in the decode process of your radius lib. It created a memory leak causing the node app to crash.

This memory leak occurs when the length variable in the decode_attributes function is 0.
Because the attributes are decoded inside a while loop:
while (data.length > 0) / data = data.slice(length);
and the length variable used to slice the data is 0, it will stay in this loop untill the raw_attrs variable is so big, it eats up too much memory.

Off course we can easily fix this with the following line:

if (!length) throw new Error("readUInt8(1) has length of 0");

You can reproduce this issue using a buffer I provided:
corrupBuffer.txt

I hope we can discuss this problem and hopefully come to a solution.

With regards,

Mark Horsman
Tam One

Hi,
I try to use node-radius with MSM720 controller and I configured WPA (WPA2/AES/CCMP) wireless protection.
When MSM720 connect to node-radius there is no User-password attribute in decoded package data.

What should I do to get password from received packet?

Hello guys. I'm trying to use this library to perform Status-Server requests to a FreeRADIUS server v3.0.19 following the spec and examples in official RFC (section 6.): https://freeradius.org/rfc/rfc5997.html

This is how my packet looks:

var packet = {
  code: "Status-Server",
  secret: "some-secret",
  identifier: getRandomInt(255),
  attributes: [
    ["Vendor-Specific", 11344, [["FreeRADIUS-Statistics-Type", "1"]]]
  ]
};

The packet is accepted and successfully processed by FreeRADIUS as shown in the server logs:

Received Status-Server Id 36 from 172.18.0.1:51235 to 172.18.0.4:18121 length 50
  FreeRADIUS-Statistics-Type = Authentication
  Message-Authenticator = 0xc6f783dc3166455a5128081572d40c82
# Executing group from file /etc/freeradius/sites-enabled/status
  Autz-Type Status-Server {
    [ok] = ok
  } # Autz-Type Status-Server = ok
Sent Access-Accept Id 36 from 172.18.0.4:18121 to 172.18.0.1:51235 length 0
  FreeRADIUS-Total-Access-Requests = 12
  FreeRADIUS-Total-Access-Accepts = 0
  FreeRADIUS-Total-Access-Rejects = 0
  FreeRADIUS-Total-Access-Challenges = 0
  FreeRADIUS-Total-Auth-Responses = 0
  FreeRADIUS-Total-Auth-Duplicate-Requests = 0
  FreeRADIUS-Total-Auth-Malformed-Requests = 0
  FreeRADIUS-Total-Auth-Invalid-Requests = 0
  FreeRADIUS-Total-Auth-Dropped-Requests = 0
  FreeRADIUS-Total-Auth-Unknown-Types = 0
Finished request

but when I call radius.verify_response the function returns false given that it's expecting a Message-Authenticator attribute in the response packet: https://github.com/retailnext/node-radius/blob/master/lib/radius.js#L426

Looking at the FreeRADIUS RFC, I see that request packets must provide a Message-Authenticator attribute but response packets does not have this attribute. Response packets are still verified by looking at byte range 4:20 of the encoded packet, which is what's done in method radius.verify_response, but I think that the call to this._ verify_response_message_authenticator at the end of the method should be omitted for Status-Server packets.

I see that the library has some support for Status-Server since it's mentioned in the README that a Message-Authenticator is automatically added for Status-Server packets but couldn't find any examples of this type of request to think this could be an error with my FreeRADIUS server installation.

I'll open a PR with a potential fix.

Thanks!

Hi guys. I working with radius authentication and billing on jerasoft platform. Docs link - https://docs.jerasoft.net/display/IM/JeraSoft+VCS%3A+RADIUS+Integration

I need to pass custom no vendor-specific attributes: request-type, src-gw-ip, src-gw-name.

If i do it like this:

    const packet = radius.encode({  
          code: 'Access-Request',  
          secret: 'my secret',  
          attributes: [  
           ['request-type', 'user'],  
           ['src-gw-name', 'my-gw'],  
           ['gw-ip', '127.0.0.1'],  
          ],  
        })  

I get an error:

Error: encode: invalid attributes - must give Buffer for unknown attribute 'request-type'

If i do it like this:

        const packet = radius.encode({
          code: 'Access-Request',
          secret: 'my secret',
          attributes: [
           ['request-type', Buffer.from('user')],
           ['src-gw-name', Buffer.from('my-gw')],
           ['gw-ip', Buffer.from('127.0.0.1')],
          ],
        })

I have no errors, but i have tcp-dump with Unknown-Attribute instead of fields

User Datagram Protocol, Src Port: 9984, Dst Port: 1812
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x88 (136)
Length: 44
Authenticator: 3390678678fccvcvbcvb62770fedfgdfg806fc
Attribute Value Pairs
AVP: l=6 t=Unknown-Attribute(0): 75736572
AVP: l=7 t=Unknown-Attribute(0): 6d792d6777
AVP: l=11 t=Unknown-Attribute(0): 3132372e302e302e31

Please help me. What i did wrong?

I'm working with radius requests from GGSNs on mobile/cell phone networks.

I have written a small dictionary for the parts of 3GPP I've encountered:

# 3GPP attributes
VENDORATTR  10415       3GPP-PDP-Type                           3       integer
VENDORATTR  10415       3GPP-SGSN-MCC-MNC                       18      string
VENDORATTR  10415       3GPP-IMEISV                             20      string
VENDORATTR  10415       3GPP-RAT-Type                           21      octets
VENDORATTR  10415       3GPP-User-Location-Info                 22      octets

Is there some form of hook for decoding octets to JSON objects, where the data has an obscure encoding (a mixture of BCD and multiple bitwise fields, for one field I've encountered)?

Is this sort of decoding in or out of scope for node-radius?

To reproduce :

1. into auth_server.js add radius.add_dictionary with https://github.com/ates/radius/blob/master/priv/dictionary.3gpp
2. run auth_server.js and auth_client.js
3. the decoded packet has wrong attribute names
   3GPP-Charging-Gateway-Address = "10.5.5.5"
   3GPP-Charging-ID = 880921834
   3GPP-IMSI = "jlpicard"

Remote server allow authentication with ms-chapv2 only, can I implement ms-chapv2 by myself? or any idea?

I'm receiving the username in a format i don't know how to deal with. and i don't receive any passord values, but an "EAP-message" which is an array of numbers. so how can I deal with this kind of authentication to recognize my users ?
here is what i'm receiving
"User-Name": "{am=1}[email protected]",
"EAP-Message": [2,1,0,53,1,123,97,109,61,49,125,69,65,69,48,52,57,57,53,65,52,53,55,70,65,54,57,70,54,70,51,70,54,51,51,52,49,65,56,69,55,53,52,64,117,110,105,99,111,109,46,98,102],
"Message-Authenticator":[197,52,81,200,32,118,245,164,162,2,67,28,130,110,206,44 ]

PS: I'm trying to install and configure your RADIUS server with Alvarion systems, but i'm experiencing couple of problems and would like your help in this matter to get it Up and running. So if you have some time and are ready to help, here is my e-mail: [email protected] (i didn't found yours)
Regards.

The regex at https://github.com/retailnext/node-radius/blob/master/lib/radius.js#L176 has a bug.

match = line.match(/^\s*(?:VENDOR)?ATTR(?:IBUTE)?\s+(\d+)?\s*(\S+)\s+(\d+)\s+(\S+)\s*(.+)?/);

Any vendor name which begins with a digit is processed as if its vendor id were the leading digits in its name.

VENDOR      3GPP                10415

E,g, the above is processed as a vendor id of 3, not 10415.

Hi there! I try to use this from linux and via openwrt. I configured a WPA-EAP network and a server that listens to the radius requests using this library. Sadly, the user-password doesn't get decrypted. I guess this is due to me having either not configured openwrt or my computer correctly. What seem to be the correct configurations for the router and the end-points?

As of now i have for

Client:

Security: WPA & WPA2 Enterprise
Auth: Tunneled TLS
Inner Auth: PAP
user: user
password: pass

Openwrt Router:
Encryption: WPA-EAP
Cipher: CCMP and TKIP

I want to authenticate user in Active Directory with chap or mschap.

The radius comes as a password <Buffer 9d 98 5e be 43 35 aa c7 b4 c0 4d a8 85 41 1c 46 99>. There is no way to code this.

How can I query the chap password from the active directory?

Thank you for making this radius in node. I'm using it in my project.
I've checked the example but can't find something related to CoA.

Is it possible?
I'm using CoovaChilli, and the radius is working great on Authentication and Accounting.
But searching for days now on how to make it that the radius can send a termination on sessions.

Currently, I'm using child_process.exec() to spawn a chilli_query command to disconnect a user.
Would be a game changer if the radius itself can do it.

Any help is appreciated.

This is all data I get in a request:

{ 'Service-Type': 'Framed-User',
  'Framed-Protocol': 'PPP',
  'NAS-Port': 666,
  'NAS-Port-Type': 'Virtual',
  'User-Name': 'test',
  'Calling-Station-Id': '2.2.2.20',
  'Called-Station-Id': '2.2.2.2',
  'Vendor-Specific': {},
  'NAS-Identifier': 'MikroTik',
  'NAS-IP-Address': '3.3.3.3.' }

IP addresses are fake here. why I could not get password from microtik?

i can't put in one attribute more than 8 strings.
for example:
Trying to insert over 8 groups(strings) into 'class' attribute results in a crash claiming it is out of boundaries.

How do i bypass this?

I working on system which allows sends multiple radius requests as parallel. Number of requests may be greater then 255. But i dont know how to realize it now. I need something like a query for requests.

Can i insert in 'identifier' field something like uuid or guid ?

I'm trying to use this:
http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary
together with all the dictionary.rfcXXX files inside the dictionaries folder provided with this repository but I have some problems and not fields seems to be loaded correctly.
If I strip out the BEGIN-VENDOR and END-VENDOR the attributes are loaded but are misunderstood by the library. Are there any issues reading files with EOL in CRLF and not only LF?

I'm trying to use the node-radius example to authenticate users connecting to a Linksys WRT 1200AC Wireless Router. I receive the packet from the router when a user authenticates, and I send the "Access-Accept" response but the client gets an "invalid password" every time. Of course, there are no logs or any information on the router itself that might help me debug the issue.

Could there be some vendor specific feature I need to enable for this AP?

Thanks

Everytime I send a message to the server password = packet.attributes['User-Password']; remains undefined and I get a 'Access-Reject' because I cannot authenticate.

Hello
First thank for the lib ! Really useful !
I have a toolbox for an access point with hostapd, CoovaChilli and Freeradius. i would like to add a kind of middleware between Coova and Freeradius. So i created one with NodeJS
With this library, using Cleartext-password requests to Freeradius, it works great. Then i try to get the request from Coova, translate it in a packet and send it to Freeradius. The issue is that Freeradius rejects the request due to a wrong password length

The original request received from Coova :

{ stage: 'login',
  service: 'login',
  user: 'chris',
  chap_chal: '9e264833bb4c59a13c7f8503bc8b945f',
  chap_pass: 'e7d8b327c909f763fd7a710eb8013232',
  chap_id: '0',
  ap: '00-0C-29-3E-41-F9',
  mac: '00-50-56-C0-00-01',
  ip: '172.16.1.1',
  sessionid: '154719715100000001',
  nasid: 'KUPIKI' }

How the packet is prepared for Freeradius :

let packet_freeradius = {
	code: "Access-Request",
	secret: secret,
	identifier: 0,
	attributes: []
};

And then on reception from Coova :

	packet_freeradius.attributes = [
		['NAS-IP-Address', '10.5.5.5'],
		['User-Name', req.query.user],
		['CHAP-Password', new Buffer.from(req.query.chap_pass, 'hex')],
		['CHAP-Challenge', new Buffer.from(req.query.chap_chal, 'hex')],
	];

And the trace in Freeradius

(5) Received Access-Request Id 0 from 127.0.0.1:49001 to 127.0.0.1:2812 length 69
(5)   NAS-IP-Address = 10.5.5.5
(5)   User-Name = "chris"
(5)   CHAP-Password = 0xe7d8b327c909f763fd7a710eb8013232
(5)   CHAP-Challenge = 0x9e264833bb4c59a13c7f8503bc8b945f
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> TRUE
(5)       if (&User-Name)  {
(5)         if (&User-Name =~ / /) {
(5)         if (&User-Name =~ / /)  -> FALSE
(5)         if (&User-Name =~ /@[^@]*@/ ) {
(5)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(5)         if (&User-Name =~ /\.\./ ) {
(5)         if (&User-Name =~ /\.\./ )  -> FALSE
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(5)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(5)         if (&User-Name =~ /\.$/)  {
(5)         if (&User-Name =~ /\.$/)   -> FALSE
(5)         if (&User-Name =~ /@\./)  {
(5)         if (&User-Name =~ /@\./)   -> FALSE
(5)       } # if (&User-Name)  = notfound
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5) chap:   &control:Auth-Type := CHAP
(5)     [chap] = ok
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "chris", looking up realm NULL
(5) suffix: No such realm "NULL"
(5)     [suffix] = noop
(5) eap: No EAP-Message, not doing EAP
(5)     [eap] = noop
(5)     [files] = noop
(5) sql: EXPAND %{User-Name}
(5) sql:    --> chris
(5) sql: SQL-User-Name set to 'chris'
rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 59568 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 59514 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 59514 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_sql (sql): Opening additional connection (11), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.37-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Reserved connection (11)
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'chris' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'chris' ORDER BY id
(5) sql: User found in radcheck table
(5) sql: Conditional check items matched, merging assignment check items
(5) sql:   Cleartext-Password := "chris"
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'chris' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'chris' ORDER BY id
(5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(5) sql:    --> SELECT groupname FROM radusergroup WHERE username = 'chris' ORDER BY priority
(5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'chris' ORDER BY priority
(5) sql: User not found in any groups
rlm_sql (sql): Released connection (11)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (12), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.37-MariaDB-0+deb9u1, protocol version 10
(5)     [sql] = ok
(5)     [expiration] = noop
(5)     [logintime] = noop
(5) pap: WARNING: Auth-Type already set.  Not setting to PAP
(5)     [pap] = noop
(5)   } # authorize = ok
(5) Found Auth-Type = CHAP
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Auth-Type CHAP {
(5) chap: ERROR: &request:CHAP-Password has invalid length
(5)     [chap] = invalid
(5)   } # Auth-Type CHAP = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Post-Auth-Type REJECT {
(5) sql: EXPAND .query
(5) sql:    --> .query
(5) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (11)
(5) sql: EXPAND %{User-Name}
(5) sql:    --> chris
(5) sql: SQL-User-Name set to 'chris'
(5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(5) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'chris', '0xe7d8b327c909f763fd7a710eb8013232', 'Access-Reject', '2019-01-11 10:02:48')
(5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'chris', '0xe7d8b327c909f763fd7a710eb8013232', 'Access-Reject', '2019-01-11 10:02:48')
(5) sql: SQL query returned: success
(5) sql: 1 record(s) updated
rlm_sql (sql): Released connection (11)
(5)     [sql] = ok
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject:    --> chris
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5)     [attr_filter.access_reject] = updated
(5)     [eap] = noop
(5)     policy remove_reply_message_if_eap {
(5)       if (&reply:EAP-Message && &reply:Reply-Message) {
(5)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)       else {
(5)         [noop] = noop
(5)       } # else = noop
(5)     } # policy remove_reply_message_if_eap = noop
(5)   } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 0 from 127.0.0.1:2812 to 127.0.0.1:49001 length 20
Waking up in 3.9 seconds.
(5) Cleaning up request packet ID 0 with timestamp +59984

As if the 0x is added by the buffer translation ?

Hello,

Using node-radius to communicate between Coova and Freeradius, i am able to generate the request, get the answer from Freeradius but when i want to verify the response it fails. What is strange is that the response is an "Accept-Accept" id so all is good (username, password and the secret)
Here is the code to validate :

	client.on('message', function(msg, rinfo) {
		console.log('*** Message');
		console.log('****');
		console.log(msg)

		console.log('*** rinfo');
		console.log('****');
		console.log(rinfo)

		let response = radius.decode({packet: msg, secret: config.freeradius_secret});
		console.log('*** Response');
		console.log('****');
		console.log(response)

		let request = sent_packets[response.identifier];
		console.log('*** Associate request');
		console.log('****');
		console.log(request)

		let valid_response = radius.verify_response({
			response: msg,
			request: request.raw_packet,
			secret: request.secret
		});
		console.log('*** valid_response');
		console.log('****');
		console.log(valid_response)

		// Close connector
		client.close();

		console.log('*** Got response');
		console.log('****');
		console.log(valid_response)

And the output

*** New request
****
{ stage: 'login',
  service: 'login',
  user: 'test',
  chap_chal: '70d128006b84a8f4260b2474c09e0ac6',
  chap_pass: 'cc12abe2d3b8d8083fbae677089eed8b',
  chap_id: '0',
  ap: '00-0C-29-38-DF-D8',
  mac: '00-50-56-C0-00-01',
  ip: '172.16.1.1',
  sessionid: '154903527700000005',
  nasid: 'KUPIKI' }
Request managed. Login request
*** Message
****
<Buffer 02 00 00 14 bd f9 02 db 16 44 ea 8f bf d3 1c 13 12 78 71 bb>
*** rinfo
****
{ address: '127.0.0.1', family: 'IPv4', port: 2812, size: 20 }
*** Response
****
{ code: 'Access-Accept',
  identifier: 0,
  length: 20,
  authenticator: <Buffer bd f9 02 db 16 44 ea 8f bf d3 1c 13 12 78 71 bb>,
  attributes: {},
  raw_attributes: [] }
*** Associate request
****
{ raw_packet: <Buffer 01 00 00 3f 5f e7 97 51 52 34 60 af f7 7d ed ee 40 fe 7f ba 01 06 74 65 73 74 03 13 00 cc 12 ab e2 d3 b8 d8 08 3f ba e6 77 08 9e ed 8b 3c 12 70 d1 28 ... >,
  secret: 'blJt5vyBxgkPVTw93XrCk0fvEoUzlf4z' }
*** valid_response
****
false
*** Got response
****
{ code: 'Access-Accept',
  identifier: 0,
  length: 20,
  authenticator: <Buffer bd f9 02 db 16 44 ea 8f bf d3 1c 13 12 78 71 bb>,
  attributes: {},
  raw_attributes: [] }
false

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Datasource	Name	Replacement PR?
npm	nodeunit

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency node to 0.12
• Update dependency node to 4.9
• Update dependency nodeunit to ~0.11.0
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

This attribute is required for requests such as Status-Server to poll for information from RADIUS servers. There's no clean way of doing this today because this attribute is calculated on the entire RADIUS packet.

Are there any intentions to add support for this, and generally to continue updating supporting this repo?
Thanks.

I'm trying to create a RADIUS server to run in my Raspberry Pi using hostapd to create the Access Point.

Should I be able to create a wifi hotspot by using this library for the RADIUS server, a data storage, hostapd and dnsmasq?

Wireshark can decode the fields of a radius packet without a secret.

This makes me think that the secret is not needed for decoding. Why does the node-radius API require it?

I have a server with multiple secrets, and need to know the value of an attribute inside of the radius packet, in order to choose which secret to use.

How can I achieve this?

i'm running node 4.3.1 on os x.
my intuition tells me that the cause of my problem is that node's buffer class has changed between 0.8.0 and 4.3.1.

when responding to an access-request packet, i use encode_response which tries to copy the authenticator from the request packet to my response packet. when doing so, i get a typeerror because radius was expecting authenticator to be a buffer, but it isn't.

i've patched this in a personal fork of the library. my patch doesn't break any existing tests and the program i've written that uses my personal fork now works as expected.

here's the patch i made: skibz@dc75c4a (please excuse the profanity)

According to rfc2865 the Class attribute is a string not octet.

In file dictionary.rfc2865
Wrong:
ATTRIBUTE Class 25 octets

Right:
ATTRIBUTE Class 25 string

Workaround is to load a custom dictionary file with definition override

Hi,

According to the doc this supports password encryption types listed in RFC2865 User-Password section, does it include Chap-Password section in RFC2865? Thanks.

How should I go about authenticating with Active Directory?
Thankx

I'm using the example and added Session-Timeout on Access-Accept.
I'm logged in but there's no time limit.
I'm using Mikrotik Hap Lite

packet.attributes['Session-Timeout'] = 300;
var response = radius.encode_response({
    packet: packet,
    code: code,
    secret: secret
  });

Any clue?

A small snippet of code

I can't request the user to disconnect, it doesn't happen

` const encoded = radius.encode({
code: 'Disconnect-Request',
secret: this.secret,
identifier: 0,
attributes: [
['User-Name', connect.username],
['NAS-Identifier', 'MikroTik'],
]
});

this.server.send(
  encoded,
  0,
  encoded.length,
  3799, '127.0.0.1', (err, bytes) => {

    if (err) {
      console.log('Error sending response to ');
      console.log(err);
    }
    console.log(bytes);
  });

`

Missmatching radius secrets causes app termination in example server

C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:277

throw err;
^
Invalid Secret Error: decode: Message-Authenticator mismatch (possible shared secret mismatch)
at new Radius.InvalidSecretError >(C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:32:9)
at Object.Radius._verify_request_message_authenticator (C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:380:16)
at Object.Radius.decode (C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:346:10)
at Socket. (C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\server.js:16:19)
at emitTwo (events.js:87:13)
at Socket.emit (events.js:172:7)
at UDP.onMessage (dgram.js:480:8)

Nice work on this library, it has saved me considerable effort, thank you! I used this with captive portal and was able to get this working with little effort. Now I plan to use this package with WPA2 enterprise and looking at the logs of free radius, the peer I tested with appears to use PEAP over TLS. I just started with WPA 2, I tried to accept all WPA2 requests by sending a blind Access Accept using node-radius and nothing happened ( the peer did not connect ). It looks like I have to implement the EAP challenge response mechanism, is my assumption correct? It appears to be a heavily involved process, nevertheless, I plan to work on it over next 3 - 6 months. Any pointers would be very helpful, TIA.

I want to add EAP-Message attribute to the response package, like this

var response = radius.encode_response({
packet: packet,
code: code,
secret: "shared_secret",
attributes: [
['User-Name', username],
['EAP-Message', 555,
[
['Code', 1],
['Id', ''],
['Length', ''],
['Type', 'MD5-Challenge'],
['Type-Data', token],
]
]
]
});

Radius module throws an error
Documents/radius/node_modules/radius/lib/radius.js:277
throw err;
^
Error: encode: must provide Buffer for attribute 'EAP-Message'

How to solve this issue? Thank you

I was not sure where to put this, but I think this module is awesome, and I'm going to build a test Radius server with this to simulate Account Request/Account Response messaging.

Is there a similar package in the works for RADIUS or GTPC messaging? I think with the high message count for these protocols, NodeJS would be awesome. Thanks.

Can you please update the npm repository version with latest changes to the git repo? namely the addition for the Message-Authenticator.

I want to add WISPr dictionary but I get encoding error.

I added file dictionary.wispr in dictionary folder

https://opensource.apple.com/source/freeradius/freeradius-11/freeradius/share/dictionary.wispr.auto.html