Comments (6)
The example client/server doesn't throw an exception for me with mismatched shared secrets (there is already an example of that in auth_client). Can you provide a test case that demonstrates the problem?
from node-radius.
Using example server - and testing it with radtest tool as client - supplying wrong radius secret causes the throw exception in my case. :/
Node.js v.4.4.3 running on Windows 10.
from node-radius.
I'm not seeing that with radtest:
$ radtest hello hello localhost 1234 hello
Sending Access-Request of id 9 to 127.0.0.1 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.2
NAS-Port = 1234
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=9, length=20
rad_verify: Received Access-Reject packet from home server 127.0.0.1 port 1812 with invalid signature! (Shared secret is incorrect.)
On the server:
$ node auth_server.js
radius server listening 0.0.0.0:1812
Access-Request for hello
Sending Access-Reject for user hello
from node-radius.
Hmm.. I've now replicated this on an Ubuntu enviroment same result.
On server docker:
Copied source -> Ran "nodejs auth_server.js"
On client docker:
Ran "radtest hello hello 10.7.7.23 1234 hello"
Resulting in:
root@762e243163a4:/node-radius-master/examples# nodejs auth_server.js
radius server listening 0.0.0.0:1812/node-radius-master/lib/radius.js:277
throw err;
^
Invalid Secret Error: decode: Message-Authenticator mismatch (possible shared secret mismatch)
at new Radius.InvalidSecretError (/node-radius-master/lib/radius.js:32:9)
at Object.Radius._verify_request_message_authenticator (/node-radius-master/lib/radius.js:380:16)
at Object.Radius.decode (/node-radius-master/lib/radius.js:346:10)
at Socket. (/node-radius-master/examples/auth_server.js:11:19)
at Socket.EventEmitter.emit (events.js:98:17)
at UDP.onMessage (dgram.js:440:8)
on server.
And:
root@3a1707f3c418:/# radtest hello hello 10.7.7.23 1234 hello
Sending Access-Request of id 175 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 175 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 175 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
radclient: no response from server for ID 175 socket 3
on client.
Works great if ríght secret is used:
Server:
root@762e243163a4:/node-radius-master/examples# nodejs auth_server.js
radius server listening 0.0.0.0:1812
Access-Request for hello
Sending Access-Reject for user hello
Access-Request for hello
Sending Access-Reject for user hello
Access-Request for hello
Sending Access-Reject for user hello
Access-Request for jlpicard
Sending Access-Accept for user jlpicard
Access-Request for jlpicard
Sending Access-Accept for user jlpicard
Access-Request for jlpicard
Sending Access-Accept for user jlpicard
Client:
root@3a1707f3c418:/# radtest hello hello 10.7.7.23 1234 radius_secret
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
radclient: no response from server for ID 135 socket 3
root@3a1707f3c418:/# radtest jlpicard beverly123 10.7.7.23 1234 radius_secret
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "jlpicard"
User-Password = "beverly123"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "jlpicard"
User-Password = "beverly123"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "jlpicard"
User-Password = "beverly123"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
radclient: no response from server for ID 135 socket 3
from node-radius.
I upgraded to a newer version of freeradius utils and then was able to reproduce the issue. The first version (the one that worked) was radclient: 2.1.10
. The packet it sends looks like this:
14:38:22.064063 IP (tos 0x0, ttl 64, id 57040, offset 0, flags [none], proto UDP (17), length 85)
127.0.0.1.36483 > 127.0.0.1.1812: RADIUS, length: 57
Access Request (1), id: 0xce, Authenticator: c1f0be82d1a9bdcb817f5e1d5603ce68
Username Attribute (1), length: 7, Value: hello
Password Attribute (2), length: 18, Value:
NAS IP Address Attribute (4), length: 6, Value: 172.17.0.2
NAS Port Attribute (5), length: 6, Value: 1234
The same command on version 2.2.8
sends the following packet:
14:41:07.879831 IP (tos 0x0, ttl 64, id 45861, offset 0, flags [none], proto UDP (17), length 103)
127.0.0.1.38486 > 127.0.0.1.1812: RADIUS, length: 75
Access-Request (1), id: 0x1f, Authenticator: b70a4c59e0fb9059470d26a3da157c58
User-Name Attribute (1), length: 7, Value: hello
User-Password Attribute (2), length: 18, Value:
NAS-IP-Address Attribute (4), length: 6, Value: 10.171.58.157
NAS-Port Attribute (5), length: 6, Value: 1234
Message-Authenticator Attribute (80), length: 18, Value: ./..Wz.R...R..R.
Note how the newer version includes a Message-Authenticator attribute where the older one did not.
The Message-Authenticator attribute is described in rfc2869. It is an optional attribute (unless you are doing EAP, then it is required), but if it is in the message the radius server is required to verify it.
In order to ensure that servers using node-radius properly handle mismatched Message-Authenticators the library raises an exception when they mismatch. Your two options are to either catch the exception or use decode_without_secret
which will decode all the attributes the library is able to without obfuscating the password field or checking the message authenticator. This method is really just a convenience for when you are decoding radius packets but you aren't sending radius responses.
I've pushed an update to the server example to demonstrate handling message-authenticator mismatches.
from node-radius.
Closing, feel free to reopen if you are still having issues.
from node-radius.
Related Issues (20)
- Using with hostapd HOT 3
- How to pass custom attributes ? HOT 4
- Packet identifier number HOT 6
- Openwrt, Linux HOT 6
- Attributes without a tag have one after decoding HOT 2
- RADIUS server issue ChangeOfAuthorization (CoA) requests HOT 5
- Error in Freeradius with CHAP Password due to attribute length HOT 2
- Unable to get true from verify_response HOT 4
- Session-Timeout not working HOT 2
- At what condition I get the 'Vendor-Specific' attributes value in the decoded response HOT 4
- sending PEAP responses HOT 2
- dictionary.rfc2865 incorrect Class attribute definition HOT 2
- There is no password attr HOT 7
- Response verification fails for Status-Server response to FreeRADIUS HOT 5
- User-Password is not defined in my packet. HOT 4
- encode: invalid attributes - must give buffer for unknown attribute 'WISPr-Bandwitdth-Max-Down' HOT 7
- Active Directory integration HOT 2
- Chap Password - Active Directory HOT 2
- Dependency Dashboard
- Disconnect-Request not work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-radius.