retailnext / node-radius Goto Github PK
View Code? Open in Web Editor NEWNode.js RADIUS library for packet encoding and decoding.
License: Other
Node.js RADIUS library for packet encoding and decoding.
License: Other
The regex at https://github.com/retailnext/node-radius/blob/master/lib/radius.js#L176 has a bug.
match = line.match(/^\s*(?:VENDOR)?ATTR(?:IBUTE)?\s+(\d+)?\s*(\S+)\s+(\d+)\s+(\S+)\s*(.+)?/);
Any vendor name which begins with a digit is processed as if its vendor id were the leading digits in its name.
VENDOR 3GPP 10415
E,g, the above is processed as a vendor id of 3, not 10415.
According to rfc2865 the Class attribute is a string not octet.
In file dictionary.rfc2865
Wrong:
ATTRIBUTE Class 25 octets
Right:
ATTRIBUTE Class 25 string
Workaround is to load a custom dictionary file with definition override
Thank you for making this radius in node. I'm using it in my project.
I've checked the example but can't find something related to CoA.
Is it possible?
I'm using CoovaChilli, and the radius is working great on Authentication and Accounting.
But searching for days now on how to make it that the radius can send a termination on sessions.
Currently, I'm using child_process.exec() to spawn a chilli_query command to disconnect a user.
Would be a game changer if the radius itself can do it.
Any help is appreciated.
This is all data I get in a request:
{ 'Service-Type': 'Framed-User',
'Framed-Protocol': 'PPP',
'NAS-Port': 666,
'NAS-Port-Type': 'Virtual',
'User-Name': 'test',
'Calling-Station-Id': '2.2.2.20',
'Called-Station-Id': '2.2.2.2',
'Vendor-Specific': {},
'NAS-Identifier': 'MikroTik',
'NAS-IP-Address': '3.3.3.3.' }
IP addresses are fake here. why I could not get password from microtik?
I'm receiving the username in a format i don't know how to deal with. and i don't receive any passord values, but an "EAP-message" which is an array of numbers. so how can I deal with this kind of authentication to recognize my users ?
here is what i'm receiving
"User-Name": "{am=1}[email protected]",
"EAP-Message": [2,1,0,53,1,123,97,109,61,49,125,69,65,69,48,52,57,57,53,65,52,53,55,70,65,54,57,70,54,70,51,70,54,51,51,52,49,65,56,69,55,53,52,64,117,110,105,99,111,109,46,98,102],
"Message-Authenticator":[197,52,81,200,32,118,245,164,162,2,67,28,130,110,206,44 ]
PS: I'm trying to install and configure your RADIUS server with Alvarion systems, but i'm experiencing couple of problems and would like your help in this matter to get it Up and running. So if you have some time and are ready to help, here is my e-mail: [email protected] (i didn't found yours)
Regards.
There is a length limit of attribute length of 256 chars. If more than that, the code failes with the following error:
value is out of bounds
at TypeError ()
at checkInt (buffer.js:784:11)
at Buffer.writeUInt8 (buffer.js:794:5)
at Object.Radius.encode_attributes (radius/lib/radius.js:850:12)
at Object.Radius.encode_attributes (radius/lib/radius.js:832:29)
at Object.Radius._encode_with_authenticator (radius/lib/radius.js:699:20)
at Object.Radius.encode (radius/lib/radius.js:662:15)
Can this limit be removed? We have to send much bigger length.
Hi,
I try to use node-radius with MSM720 controller and I configured WPA (WPA2/AES/CCMP) wireless protection.
When MSM720 connect to node-radius there is no User-password
attribute in decoded package data.
What should I do to get password from received packet?
I want to authenticate user in Active Directory with chap or mschap.
The radius comes as a password <Buffer 9d 98 5e be 43 35 aa c7 b4 c0 4d a8 85 41 1c 46 99>. There is no way to code this.
How can I query the chap password from the active directory?
Hi guys. I working with radius authentication and billing on jerasoft platform. Docs link - https://docs.jerasoft.net/display/IM/JeraSoft+VCS%3A+RADIUS+Integration
I need to pass custom no vendor-specific attributes: request-type, src-gw-ip, src-gw-name.
If i do it like this:
const packet = radius.encode({
code: 'Access-Request',
secret: 'my secret',
attributes: [
['request-type', 'user'],
['src-gw-name', 'my-gw'],
['gw-ip', '127.0.0.1'],
],
})
I get an error:
Error: encode: invalid attributes - must give Buffer for unknown attribute 'request-type'
If i do it like this:
const packet = radius.encode({
code: 'Access-Request',
secret: 'my secret',
attributes: [
['request-type', Buffer.from('user')],
['src-gw-name', Buffer.from('my-gw')],
['gw-ip', Buffer.from('127.0.0.1')],
],
})
I have no errors, but i have tcp-dump with Unknown-Attribute instead of fields
User Datagram Protocol, Src Port: 9984, Dst Port: 1812
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x88 (136)
Length: 44
Authenticator: 3390678678fccvcvbcvb62770fedfgdfg806fc
Attribute Value Pairs
AVP: l=6 t=Unknown-Attribute(0): 75736572
AVP: l=7 t=Unknown-Attribute(0): 6d792d6777
AVP: l=11 t=Unknown-Attribute(0): 3132372e302e302e31
Please help me. What i did wrong?
Hi there! I try to use this from linux and via openwrt. I configured a WPA-EAP network and a server that listens to the radius requests using this library. Sadly, the user-password doesn't get decrypted. I guess this is due to me having either not configured openwrt or my computer correctly. What seem to be the correct configurations for the router and the end-points?
Client:
Security: WPA & WPA2 Enterprise
Auth: Tunneled TLS
Inner Auth: PAP
user: user
password: pass
Openwrt Router:
Encryption: WPA-EAP
Cipher: CCMP and TKIP
I want to add WISPr dictionary but I get encoding error.
I added file dictionary.wispr in dictionary folder
Hello,
Using node-radius to communicate between Coova and Freeradius, i am able to generate the request, get the answer from Freeradius but when i want to verify the response it fails. What is strange is that the response is an "Accept-Accept" id so all is good (username, password and the secret)
Here is the code to validate :
client.on('message', function(msg, rinfo) {
console.log('*** Message');
console.log('****');
console.log(msg)
console.log('*** rinfo');
console.log('****');
console.log(rinfo)
let response = radius.decode({packet: msg, secret: config.freeradius_secret});
console.log('*** Response');
console.log('****');
console.log(response)
let request = sent_packets[response.identifier];
console.log('*** Associate request');
console.log('****');
console.log(request)
let valid_response = radius.verify_response({
response: msg,
request: request.raw_packet,
secret: request.secret
});
console.log('*** valid_response');
console.log('****');
console.log(valid_response)
// Close connector
client.close();
console.log('*** Got response');
console.log('****');
console.log(valid_response)
And the output
*** New request
****
{ stage: 'login',
service: 'login',
user: 'test',
chap_chal: '70d128006b84a8f4260b2474c09e0ac6',
chap_pass: 'cc12abe2d3b8d8083fbae677089eed8b',
chap_id: '0',
ap: '00-0C-29-38-DF-D8',
mac: '00-50-56-C0-00-01',
ip: '172.16.1.1',
sessionid: '154903527700000005',
nasid: 'KUPIKI' }
Request managed. Login request
*** Message
****
<Buffer 02 00 00 14 bd f9 02 db 16 44 ea 8f bf d3 1c 13 12 78 71 bb>
*** rinfo
****
{ address: '127.0.0.1', family: 'IPv4', port: 2812, size: 20 }
*** Response
****
{ code: 'Access-Accept',
identifier: 0,
length: 20,
authenticator: <Buffer bd f9 02 db 16 44 ea 8f bf d3 1c 13 12 78 71 bb>,
attributes: {},
raw_attributes: [] }
*** Associate request
****
{ raw_packet: <Buffer 01 00 00 3f 5f e7 97 51 52 34 60 af f7 7d ed ee 40 fe 7f ba 01 06 74 65 73 74 03 13 00 cc 12 ab e2 d3 b8 d8 08 3f ba e6 77 08 9e ed 8b 3c 12 70 d1 28 ... >,
secret: 'blJt5vyBxgkPVTw93XrCk0fvEoUzlf4z' }
*** valid_response
****
false
*** Got response
****
{ code: 'Access-Accept',
identifier: 0,
length: 20,
authenticator: <Buffer bd f9 02 db 16 44 ea 8f bf d3 1c 13 12 78 71 bb>,
attributes: {},
raw_attributes: [] }
false
This attribute is required for requests such as Status-Server to poll for information from RADIUS servers. There's no clean way of doing this today because this attribute is calculated on the entire RADIUS packet.
Are there any intentions to add support for this, and generally to continue updating supporting this repo?
Thanks.
Hello!
does node-radius supports EAP packets now ?
Missmatching radius secrets causes app termination in example server
C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:277
throw err;
^
Invalid Secret Error: decode: Message-Authenticator mismatch (possible shared secret mismatch)
at new Radius.InvalidSecretError >(C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:32:9)
at Object.Radius._verify_request_message_authenticator (C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:380:16)
at Object.Radius.decode (C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\node_modules\radius\lib\radius.js:346:10)
at Socket. (C:\Users\jonte.sehlin\OneDrive\telog\Utveckling\radius\server.js:16:19)
at emitTwo (events.js:87:13)
at Socket.emit (events.js:172:7)
at UDP.onMessage (dgram.js:480:8)
I want to add EAP-Message attribute to the response package, like this
var response = radius.encode_response({
packet: packet,
code: code,
secret: "shared_secret",
attributes: [
['User-Name', username],
['EAP-Message', 555,
[
['Code', 1],
['Id', ''],
['Length', ''],
['Type', 'MD5-Challenge'],
['Type-Data', token],
]
]
]
});
Radius module throws an error
Documents/radius/node_modules/radius/lib/radius.js:277
throw err;
^
Error: encode: must provide Buffer for attribute 'EAP-Message'
How to solve this issue? Thank you
Remote server allow authentication with ms-chapv2 only, can I implement ms-chapv2 by myself? or any idea?
Can you please update the npm repository version with latest changes to the git repo? namely the addition for the Message-Authenticator.
Just registering an issue for future consideration.
While implementing PEAP Authentication I ran into an issue:
TypeError: "value" argument is out of bounds
at Object.Radius.encode_attributes (/opt/radius_server/node_modules/radius/lib/radius.js:875:12)
I was able to debug it and figured that I shouldnt be attempting to send a 1499 byte PEAP response that includes a SSL cert in an attribute value that only supports 255 bytes.
That being said, doing a sanity check that the attribute value length is greater than what is supported and telling the user it doesnt fit would be helpful.
In this instance the TLS message CAN be sent in 253 byte fragments so I'll be breaking it up and sending it that way.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Warning
These dependencies are deprecated:
Datasource | Name | Replacement PR? |
---|---|---|
npm | nodeunit |
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
package.json
nodeunit ~0.8.6
node >=0.8.0
.travis.yml
node 6
node 0.10
node 0.12
node 4.3
I'm trying to use this:
http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary
together with all the dictionary.rfcXXX files inside the dictionaries folder provided with this repository but I have some problems and not fields seems to be loaded correctly.
If I strip out the BEGIN-VENDOR and END-VENDOR the attributes are loaded but are misunderstood by the library. Are there any issues reading files with EOL in CRLF and not only LF?
i'm running node 4.3.1 on os x.
my intuition tells me that the cause of my problem is that node's buffer class has changed between 0.8.0 and 4.3.1.
when responding to an access-request packet, i use encode_response
which tries to copy the authenticator from the request packet to my response packet. when doing so, i get a typeerror because radius
was expecting authenticator
to be a buffer, but it isn't.
i've patched this in a personal fork of the library. my patch doesn't break any existing tests and the program i've written that uses my personal fork now works as expected.
here's the patch i made: https://github.com/skibz/node-radius/commit/dc75c4a4fa0618baa84c5c6ae257784d576fca4f (please excuse the profanity)
Hi,
Password above 16 characters can't get decoded.
This is a result of field.length being over 16(32).
I really need help with this one, any suggestions?
Hello guys. I'm trying to use this library to perform Status-Server
requests to a FreeRADIUS server v3.0.19 following the spec and examples in official RFC (section 6.): https://freeradius.org/rfc/rfc5997.html
This is how my packet looks:
var packet = {
code: "Status-Server",
secret: "some-secret",
identifier: getRandomInt(255),
attributes: [
["Vendor-Specific", 11344, [["FreeRADIUS-Statistics-Type", "1"]]]
]
};
The packet is accepted and successfully processed by FreeRADIUS as shown in the server logs:
Received Status-Server Id 36 from 172.18.0.1:51235 to 172.18.0.4:18121 length 50
FreeRADIUS-Statistics-Type = Authentication
Message-Authenticator = 0xc6f783dc3166455a5128081572d40c82
# Executing group from file /etc/freeradius/sites-enabled/status
Autz-Type Status-Server {
[ok] = ok
} # Autz-Type Status-Server = ok
Sent Access-Accept Id 36 from 172.18.0.4:18121 to 172.18.0.1:51235 length 0
FreeRADIUS-Total-Access-Requests = 12
FreeRADIUS-Total-Access-Accepts = 0
FreeRADIUS-Total-Access-Rejects = 0
FreeRADIUS-Total-Access-Challenges = 0
FreeRADIUS-Total-Auth-Responses = 0
FreeRADIUS-Total-Auth-Duplicate-Requests = 0
FreeRADIUS-Total-Auth-Malformed-Requests = 0
FreeRADIUS-Total-Auth-Invalid-Requests = 0
FreeRADIUS-Total-Auth-Dropped-Requests = 0
FreeRADIUS-Total-Auth-Unknown-Types = 0
Finished request
but when I call radius.verify_response
the function returns false
given that it's expecting a Message-Authenticator
attribute in the response packet: https://github.com/retailnext/node-radius/blob/master/lib/radius.js#L426
Looking at the FreeRADIUS RFC, I see that request packets must provide a Message-Authenticator
attribute but response packets does not have this attribute. Response packets are still verified by looking at byte range 4:20 of the encoded packet, which is what's done in method radius.verify_response
, but I think that the call to this._ verify_response_message_authenticator
at the end of the method should be omitted for Status-Server
packets.
I see that the library has some support for Status-Server
since it's mentioned in the README that a Message-Authenticator
is automatically added for Status-Server
packets but couldn't find any examples of this type of request to think this could be an error with my FreeRADIUS server installation.
I'll open a PR with a potential fix.
Thanks!
Hi,
According to the doc this supports password encryption types listed in RFC2865 User-Password section, does it include Chap-Password section in RFC2865? Thanks.
I'm working with radius requests from GGSNs on mobile/cell phone networks.
I have written a small dictionary for the parts of 3GPP I've encountered:
# 3GPP attributes
VENDORATTR 10415 3GPP-PDP-Type 3 integer
VENDORATTR 10415 3GPP-SGSN-MCC-MNC 18 string
VENDORATTR 10415 3GPP-IMEISV 20 string
VENDORATTR 10415 3GPP-RAT-Type 21 octets
VENDORATTR 10415 3GPP-User-Location-Info 22 octets
Is there some form of hook for decoding octets to JSON objects, where the data has an obscure encoding (a mixture of BCD and multiple bitwise fields, for one field I've encountered)?
Is this sort of decoding in or out of scope for node-radius?
Nice work on this library, it has saved me considerable effort, thank you! I used this with captive portal and was able to get this working with little effort. Now I plan to use this package with WPA2 enterprise and looking at the logs of free radius, the peer I tested with appears to use PEAP over TLS. I just started with WPA 2, I tried to accept all WPA2 requests by sending a blind Access Accept using node-radius and nothing happened ( the peer did not connect ). It looks like I have to implement the EAP challenge response mechanism, is my assumption correct? It appears to be a heavily involved process, nevertheless, I plan to work on it over next 3 - 6 months. Any pointers would be very helpful, TIA.
I'm trying to use the node-radius example to authenticate users connecting to a Linksys WRT 1200AC Wireless Router. I receive the packet from the router when a user authenticates, and I send the "Access-Accept" response but the client gets an "invalid password" every time. Of course, there are no logs or any information on the router itself that might help me debug the issue.
Could there be some vendor specific feature I need to enable for this AP?
Thanks
Hello
First thank for the lib ! Really useful !
I have a toolbox for an access point with hostapd, CoovaChilli and Freeradius. i would like to add a kind of middleware between Coova and Freeradius. So i created one with NodeJS
With this library, using Cleartext-password requests to Freeradius, it works great. Then i try to get the request from Coova, translate it in a packet and send it to Freeradius. The issue is that Freeradius rejects the request due to a wrong password length
The original request received from Coova :
{ stage: 'login',
service: 'login',
user: 'chris',
chap_chal: '9e264833bb4c59a13c7f8503bc8b945f',
chap_pass: 'e7d8b327c909f763fd7a710eb8013232',
chap_id: '0',
ap: '00-0C-29-3E-41-F9',
mac: '00-50-56-C0-00-01',
ip: '172.16.1.1',
sessionid: '154719715100000001',
nasid: 'KUPIKI' }
How the packet is prepared for Freeradius :
let packet_freeradius = {
code: "Access-Request",
secret: secret,
identifier: 0,
attributes: []
};
And then on reception from Coova :
packet_freeradius.attributes = [
['NAS-IP-Address', '10.5.5.5'],
['User-Name', req.query.user],
['CHAP-Password', new Buffer.from(req.query.chap_pass, 'hex')],
['CHAP-Challenge', new Buffer.from(req.query.chap_chal, 'hex')],
];
And the trace in Freeradius
(5) Received Access-Request Id 0 from 127.0.0.1:49001 to 127.0.0.1:2812 length 69
(5) NAS-IP-Address = 10.5.5.5
(5) User-Name = "chris"
(5) CHAP-Password = 0xe7d8b327c909f763fd7a710eb8013232
(5) CHAP-Challenge = 0x9e264833bb4c59a13c7f8503bc8b945f
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) chap: &control:Auth-Type := CHAP
(5) [chap] = ok
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: No '@' in User-Name = "chris", looking up realm NULL
(5) suffix: No such realm "NULL"
(5) [suffix] = noop
(5) eap: No EAP-Message, not doing EAP
(5) [eap] = noop
(5) [files] = noop
(5) sql: EXPAND %{User-Name}
(5) sql: --> chris
(5) sql: SQL-User-Name set to 'chris'
rlm_sql (sql): Closing connection (8): Hit idle_timeout, was idle for 59568 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (9): Hit idle_timeout, was idle for 59514 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): Closing connection (10): Hit idle_timeout, was idle for 59514 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql_mysql: Socket destructor called, closing socket
rlm_sql (sql): 0 of 0 connections in use. You may need to increase "spare"
rlm_sql (sql): Opening additional connection (11), 1 of 32 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.37-MariaDB-0+deb9u1, protocol version 10
rlm_sql (sql): Reserved connection (11)
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'chris' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'chris' ORDER BY id
(5) sql: User found in radcheck table
(5) sql: Conditional check items matched, merging assignment check items
(5) sql: Cleartext-Password := "chris"
(5) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(5) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'chris' ORDER BY id
(5) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'chris' ORDER BY id
(5) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(5) sql: --> SELECT groupname FROM radusergroup WHERE username = 'chris' ORDER BY priority
(5) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'chris' ORDER BY priority
(5) sql: User not found in any groups
rlm_sql (sql): Released connection (11)
rlm_sql (sql): Need 2 more connections to reach 10 spares
rlm_sql (sql): Opening additional connection (12), 1 of 31 pending slots used
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.37-MariaDB-0+deb9u1, protocol version 10
(5) [sql] = ok
(5) [expiration] = noop
(5) [logintime] = noop
(5) pap: WARNING: Auth-Type already set. Not setting to PAP
(5) [pap] = noop
(5) } # authorize = ok
(5) Found Auth-Type = CHAP
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Auth-Type CHAP {
(5) chap: ERROR: &request:CHAP-Password has invalid length
(5) [chap] = invalid
(5) } # Auth-Type CHAP = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Post-Auth-Type REJECT {
(5) sql: EXPAND .query
(5) sql: --> .query
(5) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (11)
(5) sql: EXPAND %{User-Name}
(5) sql: --> chris
(5) sql: SQL-User-Name set to 'chris'
(5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(5) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'chris', '0xe7d8b327c909f763fd7a710eb8013232', 'Access-Reject', '2019-01-11 10:02:48')
(5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'chris', '0xe7d8b327c909f763fd7a710eb8013232', 'Access-Reject', '2019-01-11 10:02:48')
(5) sql: SQL query returned: success
(5) sql: 1 record(s) updated
rlm_sql (sql): Released connection (11)
(5) [sql] = ok
(5) attr_filter.access_reject: EXPAND %{User-Name}
(5) attr_filter.access_reject: --> chris
(5) attr_filter.access_reject: Matched entry DEFAULT at line 11
(5) [attr_filter.access_reject] = updated
(5) [eap] = noop
(5) policy remove_reply_message_if_eap {
(5) if (&reply:EAP-Message && &reply:Reply-Message) {
(5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(5) else {
(5) [noop] = noop
(5) } # else = noop
(5) } # policy remove_reply_message_if_eap = noop
(5) } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(5) Sending delayed response
(5) Sent Access-Reject Id 0 from 127.0.0.1:2812 to 127.0.0.1:49001 length 20
Waking up in 3.9 seconds.
(5) Cleaning up request packet ID 0 with timestamp +59984
As if the 0x is added by the buffer translation ?
I'm using the example and added Session-Timeout
on Access-Accept.
I'm logged in but there's no time limit.
I'm using Mikrotik Hap Lite
packet.attributes['Session-Timeout'] = 300;
var response = radius.encode_response({
packet: packet,
code: code,
secret: secret
});
Any clue?
Wireshark can decode the fields of a radius packet without a secret.
This makes me think that the secret is not needed for decoding. Why does the node-radius API require it?
I have a server with multiple secrets, and need to know the value of an attribute inside of the radius packet, in order to choose which secret to use.
How can I achieve this?
Everytime I send a message to the server password = packet.attributes['User-Password'];
remains undefined and I get a 'Access-Reject' because I cannot authenticate.
I working on system which allows sends multiple radius requests as parallel. Number of requests may be greater then 255. But i dont know how to realize it now. I need something like a query for requests.
Can i insert in 'identifier' field something like uuid or guid ?
It should be calculated the same way as for an Accounting-Request, per RFC 3576. Blindly replacing all the
if (XYZ == 'Accounting-Request')
with
if (XYZ == 'Accounting-Request' || XYZ == 'Disconnect-Request')
worked for me.
Dear colleague developer,
We (my team and I) are using your radius library for a while now and I must say we are very happy with it.
It work very fast and gets the job done. We use it to process thousands of requests per minute and it does it like a boss.
A couple of weeks ago we started working on implementing webRTC in one of our web applications.
To get it working we send a JWT (JSON Webtoken) token to our SIP server (Brekeke) along with the register request using the JsSIP javascript library.
We do this because we don't want to show the password of the SIP account in plain text in our client-side application. We use the Vendor-Specific attributes (dictionaries) to pass this JWT token to our node radius process. We then validate the JWT token in our authentication process after we decoded the RADIUS packet using your library. This worked fine and we could register the SIP account and make calls and everything.
But here comes the problem. We noticed that sometimes our SIP server sends malformed RADIUS packets to our radius service (random). And we know we have to fix this on our side but something happened in the decode process of your radius lib. It created a memory leak causing the node app to crash.
This memory leak occurs when the length variable in the decode_attributes function is 0.
Because the attributes are decoded inside a while loop:
while (data.length > 0) / data = data.slice(length);
and the length variable used to slice the data is 0, it will stay in this loop untill the raw_attrs variable is so big, it eats up too much memory.
Off course we can easily fix this with the following line:
if (!length) throw new Error("readUInt8(1) has length of 0");
You can reproduce this issue using a buffer I provided:
corrupBuffer.txt
I hope we can discuss this problem and hopefully come to a solution.
With regards,
Mark Horsman
Tam One
A small snippet of code
I can't request the user to disconnect, it doesn't happen
` const encoded = radius.encode({
code: 'Disconnect-Request',
secret: this.secret,
identifier: 0,
attributes: [
['User-Name', connect.username],
['NAS-Identifier', 'MikroTik'],
]
});
this.server.send(
encoded,
0,
encoded.length,
3799, '127.0.0.1', (err, bytes) => {
if (err) {
console.log('Error sending response to ');
console.log(err);
}
console.log(bytes);
});
`
If a packet contains an attribute with a tag all following attributes have also the same tag, even if these attributes have no tag accordingly to the radius RFC.
The problem is caused by the fact, that the tag
variable is not reset if no has_tag
element is found in the attr_inf
, see here. Therefore the tag is applied to all following attributes as long as no attribute with a has_tag and no specified tag is found.
We are developing Guest WiFi Solutions So we want to do authentication & accounting too. also want Speed control & Time duration. Can we use it in these purpose ?.. We want Radius into node js with Mongodb database backend .
I was not sure where to put this, but I think this module is awesome, and I'm going to build a test Radius server with this to simulate Account Request/Account Response messaging.
Is there a similar package in the works for RADIUS or GTPC messaging? I think with the high message count for these protocols, NodeJS would be awesome. Thanks.
How should I go about authenticating with Active Directory?
Thankx
Hi,
I am able to load the dictionary with vendor specific attributes in radius server. I can receive the vendor specific attributes in a response in the form of "raw_attributes" but not as a value of attributes object with 'Vendor-Specific' key
server-encoding response:
var response = radius.encode_response({
packet: packet,
code: code,
secret: secret,
attributes: [
// ['NAS-IP-Addess', '10.5.5.5'],
['User-Name', 'rajiv'],
['User-Password', 'Ltrx12345'],
['Vendor-Specific', 14988, [['Mikrotik-Wireless-PSK', 'shiva']]]
]
});
client-decoded packet data:
{ code: 'Access-Accept',
identifier: 0,
length: 58,
authenticator: <Buffer eb c1 e2 81 72 0a bc db 20 ce 18 c6 24 ef 12 9e>,
attributes:
{ 'User-Name': 'rajiv',
'User-Password': 'A�\u0013��t7��\u001c���F�9',
'Vendor-Specific': {} },
raw_attributes:
[ [ 1, <Buffer 72 61 6a 69 76> ],
[ 2, <Buffer 1d 12 74 44 c1 cc 36 e0 e9 7c 32 7f 25 8c 0a e9> ],
[ 26, <Buffer 00 00 3a 8c 10 07 73 68 69 76 61> ] ] }
I want to know the exact format of decoded response with 'Vendor-Specific' attributes. How do I form the server encoding response to get the values as 'Vendor-Specific' attributes in the decoded response(when will be 'Venodor-Specific' attribute value get fulfilled). Please guide I am unable find it out.
To reproduce :
i can't put in one attribute more than 8 strings.
for example:
Trying to insert over 8 groups(strings) into 'class' attribute results in a crash claiming it is out of boundaries.
How do i bypass this?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.