help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] ARAP Support and How To?

From: Cian Phillips
Subject: Re: [Help-gnu-radius] ARAP Support and How To?
Date: Fri, 19 Nov 2004 10:16:24 -0800 
Hi Gerald,

Thanks sooo much for responding.
I don't know guile.. do you know if there are any open source or freely available *nix radius servers that support ARAP out of the box?
This is an exercise I'm doing - it's not a production environment. I have to match up a server to an unknown client with only the error messages produced by a python cgi to go on for configuring the server. 

I have access to the client via web form which executes the python cgi.

The form fields are Server, Username, Password, and Secret.
Here are the error messages that lead me to believe that it was using ARAP. 

Thanks again,

Cian






cgi-bin/authen.py

   27 reply=srv.SendPacket(req)


   28 


   29 if reply['ARAP-Security-Data'][0] == randkey:


   30   print open('sentence').read()


   31 
reply = {6: ['\x00\x00\x00\x02'], 7: ['\x00\x00\x00\x01']}, randkey = 'pVArioNL'
 /usr/local/lib/python2.2/site-packages/pyrad/packet.py in __getitem__(self={6: ['\x00\x00\x00\x02'], 7: ['\x00\x00\x00\x01']}, key='ARAP-Security-Data') 

  156                         return self.data[key]


  157 


  158                 values=self.data[self._EncodeKey(key)]


  159                 attr=self.dict.attributes[key]


  160                 res=[]
values undefined, self = {6: ['\x00\x00\x00\x02'], 7: ['\x00\x00\x00\x01']}, self.data = {6: ['\x00\x00\x00\x02'], 7: ['\x00\x00\x00\x01']}, self._EncodeKey = <bound method AuthPacket._EncodeKey of {6: ['\x00\x00\x00\x02'], 7: ['\x00\x00\x00\x01']}>, key = 'ARAP-Security-Data' 

KeyError: 74
      __doc__ = 'Mapping key not found.'
      __getitem__ = <bound method KeyError.__getitem__ of <exceptions.KeyError instance at 0x8209dcc>>       __init__ = <bound method KeyError.__init__ of <exceptions.KeyError instance at 0x8209dcc>> 
      __module__ = 'exceptions'
      __str__ = <bound method KeyError.__str__ of <exceptions.KeyError instance at 0x8209dcc>> 
      args = (74,)



On Nov 19, 2004, at 9:43 AM, Gerald wrote:


On Thu, 18 Nov 2004, Cian Phillips wrote:


I set up GNU radius on a freeBSD box with some really simple


Two good choices. :-)


enable the Apple Remote Access Protocol stuff. There are attribute
definitions in dict/standard but I have no idea how to use them.


Yikes. A quick look at the ARAP documentation and it seems like it's
not for the faint of heart. You may wind up writing more code than you
anticipated to make gnu-radius support it. Just grepping through the
source code and CVS logs I don't see where any ARAP code has been added
to gnu-radius. The dictionary just has the attributes in it already.


I can connect both locally and remotely using radauth and I can see
the messages in the logs.. (they say authentication succeeded but I
guess the ARAP client is looking for a challenge response?
Actually your config is giving you the false sense that you are actually 
doing ARAP. More on that in a second.


I'm guessing I have to add some ARAP stuff to the clients file????


I'd guess the ARAP support in gnu-radius stops at the entries in the
dictionaries and that if it required code change it isn't supported
yet. If you were fluent in guild you can write a module to handle the
information you need to make it work, but I can't offer examples.


<feeling really dense>


Don't. ARAP is an extension of RADIUS and therefore a little more
complicated to set up. Add to that I don't think there is any code in
gnu-radius that actually supports ARAP and it just won't work with
gnu-radius.


DEFAULT Auth-Type = Accept,
                Simultaneous-Use = 10
        Service-Type = Framed-User,
                Framed-Protocol = PPP


Here is the part of your config misleading you. You've told gnu-radius
to Accept anything. Any request that comes in with Service-Type
of Framed-User &/or Framed-Protocol PPP will match this entry and
gnu-radius will fire off an Access-Accept message. This isn't actually
authenticating a user. This is also an extremely insecure setup since
basically any request that comes in to this radius server will be
allowed.

The NAS is talking to RADIUS and RADIUS is firing off accept messages
but what I've read of ARAP there is more to the process than just
Accepting and I don't think the code is there to support the Dictionary
entries.
I also think you are the first to ask about ARAP (in gnu-radius at least). 

Gerald
reply via email to
[Prev in Thread] Current Thread [Next in Thread]