[erlang-questions] RADIUS decode/encode

Sat Oct 10 15:47:11 CEST 2015

----- Original Message -----
> From: "Kirill Ratkin" <kvratkin@REDACTED>
> To: erlang-questions@REDACTED
> Sent: Friday, October 9, 2015 3:29:15 PM
> Subject: [erlang-questions] RADIUS decode/encode

> Hi guys,

> Who played with RADIUS?

> I'm trying to make test aplication which decode request and encode response
> (Accept).

> Here is code:

> handle_info({udp, Socket, IP, Port, Packet}, State) ->
> io:format("Packet is ~p~n", [hexlify(Packet)]),

> <<Code:8, Identifier:8, Length:16, Authenticator:128, Attributes/binary>> =
> Packet,

> io:format("Packet is ~p,~p,~p,~p,~p~n", [
> Code,
> Identifier,
> Length,
> Authenticator,
> hexlify(Attributes)
> ]),

> <<Len:8, Type:8, Body/binary>> = Attributes,

> io:format("AVP: ~p, ~p, ~p~n", [Len, Type, Body]),

> AVPCode = 18,
> AVPMessage = <<"You dick">>,
> AVPSize = byte_size(AVPMessage) + 2,
> AVPResponse = <<AVPCode:8, AVPSize:8, AVPMessage/binary>>,
> RCode = 2, % calculated base on logic, accept is now for test
> RLength = byte_size(AVPResponse) + 20,
> Secret = <<"secret">>,
> RAuthenticator = erlang:md5(<<Code:8, Identifier:8, Length:16, Authenticator:128, AVPResponse/binary, Secret/binary>>),

That should be:

RAuthenticator = erlang:md5(<<RCode:8, Identifier:8, RLength:16, Authenticator:128, AVPResponse/binary, Secret/binary>>),

The Response-Authenticator is calculate over the response packet, with the Authenticator field set to the Request-Authenticator.

Andreas

> Response = <<RCode, Identifier, RLength:16, RAuthenticator/binary,
> AVPResponse/binary>>,

> gen_udp:send(Socket, IP, Port, Response),

> inet:setopts(Socket, [{active, once}]),
> {noreply, State};

> It works but ... 'radclient' says Response Authenticator is not correctly
> calculated.

> This is its output:

> $ echo "User-Name = test" | radclient -x localhost:1812 auth secret
> Sending Access-Request Id 68 from 0.0.0.0:38654 to 127.0.0.1:1812
> User-Name = 'test'
> Received Access-Accept Id 68 from 127.0.0.1:1812 to 127.0.0.1:38654 length 30
> (0) Reply verification failed: Received Access-Accept packet from home server
> 127.0.0.1 port 1812 with invalid Response Authenticator! (Shared secret is
> incorrect.)

> RFC says:

> Response Authenticator

> The value of the Authenticator field in Access-Accept, Access-
> Reject, and Access-Challenge packets is called the Response
> Authenticator, and contains a one-way MD5 hash calculated over
> a stream of octets consisting of: the RADIUS packet, beginning
> with the Code field, including the Identifier, the Length, the
> Request Authenticator field from the Access-Request packet, and
> the response Attributes, followed by the shared secret. That
> is, ResponseAuth =
> MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where +
> denotes concatenation.

> It seems I do how RFC recommends but ...
> I don't see mistake :(.

> Please help if you see my fault.

> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions