Missmatching radius secrets causes app termination about node-radius HOT 6 CLOSED

The example client/server doesn't throw an exception for me with mismatched shared secrets (there is already an example of that in auth_client). Can you provide a test case that demonstrates the problem?

from node-radius.

Using example server - and testing it with radtest tool as client - supplying wrong radius secret causes the throw exception in my case. :/

Node.js v.4.4.3 running on Windows 10.

from node-radius.

I'm not seeing that with radtest:

$ radtest hello hello localhost 1234 hello
Sending Access-Request of id 9 to 127.0.0.1 port 1812
        User-Name = "hello"
        User-Password = "hello"
        NAS-IP-Address = 172.17.0.2
        NAS-Port = 1234
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=9, length=20
rad_verify: Received Access-Reject packet from home server 127.0.0.1 port 1812 with invalid signature!  (Shared secret is incorrect.)

On the server:

$ node auth_server.js 
radius server listening 0.0.0.0:1812
Access-Request for hello
Sending Access-Reject for user hello

from node-radius.

Hmm.. I've now replicated this on an Ubuntu enviroment same result.

On server docker:
Copied source -> Ran "nodejs auth_server.js"
On client docker:
Ran "radtest hello hello 10.7.7.23 1234 hello"
Resulting in:

root@762e243163a4:/node-radius-master/examples# nodejs auth_server.js
radius server listening 0.0.0.0:1812

/node-radius-master/lib/radius.js:277
throw err;
^
Invalid Secret Error: decode: Message-Authenticator mismatch (possible shared secret mismatch)
at new Radius.InvalidSecretError (/node-radius-master/lib/radius.js:32:9)
at Object.Radius._verify_request_message_authenticator (/node-radius-master/lib/radius.js:380:16)
at Object.Radius.decode (/node-radius-master/lib/radius.js:346:10)
at Socket. (/node-radius-master/examples/auth_server.js:11:19)
at Socket.EventEmitter.emit (events.js:98:17)
at UDP.onMessage (dgram.js:440:8)

on server.

And:

root@3a1707f3c418:/# radtest hello hello 10.7.7.23 1234 hello
Sending Access-Request of id 175 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 175 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 175 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
radclient: no response from server for ID 175 socket 3

on client.

Works great if ríght secret is used:

Server:

root@762e243163a4:/node-radius-master/examples# nodejs auth_server.js
radius server listening 0.0.0.0:1812
Access-Request for hello
Sending Access-Reject for user hello
Access-Request for hello
Sending Access-Reject for user hello
Access-Request for hello
Sending Access-Reject for user hello
Access-Request for jlpicard
Sending Access-Accept for user jlpicard
Access-Request for jlpicard
Sending Access-Accept for user jlpicard
Access-Request for jlpicard
Sending Access-Accept for user jlpicard

Client:

root@3a1707f3c418:/# radtest hello hello 10.7.7.23 1234 radius_secret
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "hello"
User-Password = "hello"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
radclient: no response from server for ID 135 socket 3
root@3a1707f3c418:/# radtest jlpicard beverly123 10.7.7.23 1234 radius_secret
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "jlpicard"
User-Password = "beverly123"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "jlpicard"
User-Password = "beverly123"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
Sending Access-Request of id 135 to 10.7.7.23 port 1812
User-Name = "jlpicard"
User-Password = "beverly123"
NAS-IP-Address = 172.17.0.4
NAS-Port = 1234
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 172.17.0.1 port 1812, id=135, length=38
radclient: received response to request we did not send. (id=135 socket 3)
radclient: no response from server for ID 135 socket 3

from node-radius.

I upgraded to a newer version of freeradius utils and then was able to reproduce the issue. The first version (the one that worked) was radclient: 2.1.10. The packet it sends looks like this:

14:38:22.064063 IP (tos 0x0, ttl 64, id 57040, offset 0, flags [none], proto UDP (17), length 85)
    127.0.0.1.36483 > 127.0.0.1.1812: RADIUS, length: 57
        Access Request (1), id: 0xce, Authenticator: c1f0be82d1a9bdcb817f5e1d5603ce68
          Username Attribute (1), length: 7, Value: hello
          Password Attribute (2), length: 18, Value: 
          NAS IP Address Attribute (4), length: 6, Value: 172.17.0.2
          NAS Port Attribute (5), length: 6, Value: 1234

The same command on version 2.2.8 sends the following packet:

14:41:07.879831 IP (tos 0x0, ttl 64, id 45861, offset 0, flags [none], proto UDP (17), length 103)
    127.0.0.1.38486 > 127.0.0.1.1812: RADIUS, length: 75
        Access-Request (1), id: 0x1f, Authenticator: b70a4c59e0fb9059470d26a3da157c58
          User-Name Attribute (1), length: 7, Value: hello
          User-Password Attribute (2), length: 18, Value:
          NAS-IP-Address Attribute (4), length: 6, Value: 10.171.58.157
          NAS-Port Attribute (5), length: 6, Value: 1234
          Message-Authenticator Attribute (80), length: 18, Value: ./..Wz.R...R..R.

Note how the newer version includes a Message-Authenticator attribute where the older one did not.

The Message-Authenticator attribute is described in rfc2869. It is an optional attribute (unless you are doing EAP, then it is required), but if it is in the message the radius server is required to verify it.

In order to ensure that servers using node-radius properly handle mismatched Message-Authenticators the library raises an exception when they mismatch. Your two options are to either catch the exception or use decode_without_secret which will decode all the attributes the library is able to without obfuscating the password field or checking the message authenticator. This method is really just a convenience for when you are decoding radius packets but you aren't sending radius responses.

I've pushed an update to the server example to demonstrate handling message-authenticator mismatches.

from node-radius.

Closing, feel free to reopen if you are still having issues.

from node-radius.