[erlang-questions] RADIUS decode/encode

Kirill Ratkin <>
Fri Oct 9 15:29:15 CEST 2015


Hi guys,

Who played with RADIUS?

I'm trying to make test aplication which decode request and encode response
(Accept).

Here is code:

handle_info({udp, Socket, IP, Port, Packet}, State) ->
    io:format("Packet is ~p~n", [hexlify(Packet)]),

    <<Code:8, Identifier:8, Length:16, Authenticator:128,
Attributes/binary>> = Packet,

    io:format("Packet is ~p,~p,~p,~p,~p~n", [
                            Code,
                            Identifier,
                            Length,
                            Authenticator,
                            hexlify(Attributes)
                           ]),

    <<Len:8, Type:8, Body/binary>> = Attributes,

    io:format("AVP: ~p, ~p, ~p~n", [Len, Type, Body]),

    AVPCode         = 18,
    AVPMessage      = <<"You dick">>,
    AVPSize         = byte_size(AVPMessage) + 2,
    AVPResponse     = <<AVPCode:8, AVPSize:8, AVPMessage/binary>>,
    RCode           = 2,    % calculated base on logic, accept is now for
test
    RLength         = byte_size(AVPResponse) + 20,
    Secret          = <<"secret">>,
    RAuthenticator  = erlang:md5(<<Code:8, Identifier:8, Length:16,
Authenticator:128, AVPResponse/binary, Secret/binary>>),
    Response        = <<RCode, Identifier, RLength:16,
RAuthenticator/binary, AVPResponse/binary>>,

    gen_udp:send(Socket, IP, Port, Response),

    inet:setopts(Socket, [{active, once}]),
    {noreply, State};

It works but ... 'radclient' says Response Authenticator is not correctly
calculated.

This is its output:

$ echo "User-Name = test" | radclient -x localhost:1812 auth secret
Sending Access-Request Id 68 from 0.0.0.0:38654 to 127.0.0.1:1812
    User-Name = 'test'
Received Access-Accept Id 68 from 127.0.0.1:1812 to 127.0.0.1:38654 length
30
(0) Reply verification failed: Received Access-Accept packet from home
server 127.0.0.1 port 1812 with invalid Response Authenticator!  (Shared
secret is incorrect.)

RFC says:

      Response Authenticator

         The value of the Authenticator field in Access-Accept, Access-
         Reject, and Access-Challenge packets is called the Response
         Authenticator, and contains a one-way MD5 hash calculated over
         a stream of octets consisting of: the RADIUS packet, beginning
         with the Code field, including the Identifier, the Length, the
         Request Authenticator field from the Access-Request packet, and
         the response Attributes, followed by the shared secret.  That
         is, ResponseAuth =
         MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where +
         denotes concatenation.

It seems I do how RFC recommends but ...
I don't see mistake :(.

Please help if you see my fault.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20151009/a2d4bd6d/attachment.html>


More information about the erlang-questions mailing list