[erlang-questions] RADIUS decode/encode

Artem Teslenko <>
Fri Oct 9 16:57:42 CEST 2015


Hi,

Look at https://github.com/ates/radius project

Especially radius_codec module

On 10/09/2015 04:29 PM, Kirill Ratkin wrote:
> Hi guys,
>
> Who played with RADIUS?
>
> I'm trying to make test aplication which decode request and encode 
> response (Accept).
>
> Here is code:
>
> handle_info({udp, Socket, IP, Port, Packet}, State) ->
>     io:format("Packet is ~p~n", [hexlify(Packet)]),
>
>     <<Code:8, Identifier:8, Length:16, Authenticator:128, 
> Attributes/binary>> = Packet,
>
>     io:format("Packet is ~p,~p,~p,~p,~p~n", [
>                             Code,
>                             Identifier,
>                             Length,
>                             Authenticator,
>                             hexlify(Attributes)
>                            ]),
>
>     <<Len:8, Type:8, Body/binary>> = Attributes,
>
>     io:format("AVP: ~p, ~p, ~p~n", [Len, Type, Body]),
>
>     AVPCode         = 18,
>     AVPMessage      = <<"You dick">>,
>     AVPSize         = byte_size(AVPMessage) + 2,
>     AVPResponse     = <<AVPCode:8, AVPSize:8, AVPMessage/binary>>,
>     RCode           = 2,    % calculated base on logic, accept is now 
> for test
>     RLength         = byte_size(AVPResponse) + 20,
>     Secret          = <<"secret">>,
>     RAuthenticator  = erlang:md5(<<Code:8, Identifier:8, Length:16, 
> Authenticator:128, AVPResponse/binary, Secret/binary>>),
>     Response        = <<RCode, Identifier, RLength:16, 
> RAuthenticator/binary, AVPResponse/binary>>,
>
>     gen_udp:send(Socket, IP, Port, Response),
>
>     inet:setopts(Socket, [{active, once}]),
>     {noreply, State};
>
> It works but ... 'radclient' says Response Authenticator is not 
> correctly calculated.
>
> This is its output:
>
> $ echo "User-Name = test" | radclient -x localhost:1812 auth secret
> Sending Access-Request Id 68 from 0.0.0.0:38654 <http://0.0.0.0:38654> 
> to 127.0.0.1:1812 <http://127.0.0.1:1812>
>     User-Name = 'test'
> Received Access-Accept Id 68 from 127.0.0.1:1812 
> <http://127.0.0.1:1812> to 127.0.0.1:38654 <http://127.0.0.1:38654> 
> length 30
> (0) Reply verification failed: Received Access-Accept packet from home 
> server 127.0.0.1 port 1812 with invalid Response Authenticator!  
> (Shared secret is incorrect.)
>
> RFC says:
>
>       Response Authenticator
>
>          The value of the Authenticator field in Access-Accept, Access-
>          Reject, and Access-Challenge packets is called the Response
>          Authenticator, and contains a one-way MD5 hash calculated over
>          a stream of octets consisting of: the RADIUS packet, beginning
>          with the Code field, including the Identifier, the Length, the
>          Request Authenticator field from the Access-Request packet, and
>          the response Attributes, followed by the shared secret.  That
>          is, ResponseAuth =
>          MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where +
>          denotes concatenation.
>
> It seems I do how RFC recommends but ...
> I don't see mistake :(.
>
> Please help if you see my fault.
>
>
> _______________________________________________
> erlang-questions mailing list
> 
> http://erlang.org/mailman/listinfo/erlang-questions

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20151009/5f9e05ed/attachment.html>


More information about the erlang-questions mailing list