node-radius icon indicating copy to clipboard operation
node-radius copied to clipboard
verified publisher icon retailnext

Response verification fails for Status-Server response to FreeRADIUS

Open arcesino opened this issue 5 years ago • 5 comments

Hello guys. I'm trying to use this library to perform Status-Server requests to a FreeRADIUS server v3.0.19 following the spec and examples in official RFC (section 6.): https://freeradius.org/rfc/rfc5997.html

This is how my packet looks:

var packet = {
  code: "Status-Server",
  secret: "some-secret",
  identifier: getRandomInt(255),
  attributes: [
    ["Vendor-Specific", 11344, [["FreeRADIUS-Statistics-Type", "1"]]]
  ]
};

The packet is accepted and successfully processed by FreeRADIUS as shown in the server logs:

Received Status-Server Id 36 from 172.18.0.1:51235 to 172.18.0.4:18121 length 50
  FreeRADIUS-Statistics-Type = Authentication
  Message-Authenticator = 0xc6f783dc3166455a5128081572d40c82
# Executing group from file /etc/freeradius/sites-enabled/status
  Autz-Type Status-Server {
    [ok] = ok
  } # Autz-Type Status-Server = ok
Sent Access-Accept Id 36 from 172.18.0.4:18121 to 172.18.0.1:51235 length 0
  FreeRADIUS-Total-Access-Requests = 12
  FreeRADIUS-Total-Access-Accepts = 0
  FreeRADIUS-Total-Access-Rejects = 0
  FreeRADIUS-Total-Access-Challenges = 0
  FreeRADIUS-Total-Auth-Responses = 0
  FreeRADIUS-Total-Auth-Duplicate-Requests = 0
  FreeRADIUS-Total-Auth-Malformed-Requests = 0
  FreeRADIUS-Total-Auth-Invalid-Requests = 0
  FreeRADIUS-Total-Auth-Dropped-Requests = 0
  FreeRADIUS-Total-Auth-Unknown-Types = 0
Finished request

but when I call radius.verify_response the function returns false given that it's expecting a Message-Authenticator attribute in the response packet: https://github.com/retailnext/node-radius/blob/master/lib/radius.js#L426

Looking at the FreeRADIUS RFC, I see that request packets must provide a Message-Authenticator attribute but response packets does not have this attribute. Response packets are still verified by looking at byte range 4:20 of the encoded packet, which is what's done in method radius.verify_response, but I think that the call to this._ verify_response_message_authenticator at the end of the method should be omitted for Status-Server packets.

I see that the library has some support for Status-Server since it's mentioned in the README that a Message-Authenticator is automatically added for Status-Server packets but couldn't find any examples of this type of request to think this could be an error with my FreeRADIUS server installation.

I'll open a PR with a potential fix.

Thanks!

arcesino avatar May 19 '20 20:05 arcesino

Hmm, if the server you are talking to doesn't support the 'Message-Authenticator' why are you calling verify_response?

I don't think we should change verify_response to call packets without the authenticator present to be ok. Otherwise a MITM could simply strip that attribute and modify the packet.

psanford avatar May 19 '20 21:05 psanford

Sorry, I miss read the rfc. It says 'Message-Authenticator' is optional for the clients to send which I misread and thought that it was optional for the servers.

Disregard my previous comment.

psanford avatar May 20 '20 01:05 psanford

Can you provide a pcap file with an actual request 'Status-Server' request and response?

psanford avatar May 20 '20 01:05 psanford

Attaching pcap file generated with Wireshark with a single Status-Server request to FreeRADIUS. The secret used for the packets is default adminsecret in case you also need it. Let me know if you need additional info

freeradius-status-server-request.pcap.zip

arcesino avatar May 20 '20 16:05 arcesino

If using wireshark to open the pcap file, you can decode the packets as RADIUS and they will show the packet contents in human-readable format

arcesino avatar May 20 '20 16:05 arcesino