Closed RyanEssentialNet closed 3 years ago
It looks like you are trying to call VerifyAuth on the Server Side. This won't work:
Only Auth-Accept/-Challange/-Reject can be verified (on the client side)
On the server side Auth-Request packets contain a "random" number in the authenticator. The validity for the Access-Request packet is determined by decoding the User-Password / CHAP-Password (or some other Password Attribute added by later standards (I do not know how the different EAP Methods work).
The only "downside" of this is that spoofed Radius Request will generate a Access-Reject towards a NAS. If this is a concern for you, there exists a Message-Authenticator Attribute (which the client has to support as well): https://datatracker.ietf.org/doc/html/rfc2869#section-5.14 .
Thanks for that, literally just found this out myself while reading the RFC documentation.
Thanks for your answer.
I will close the issue.
Hi there,
I'm having some issues with the VerifyAuthRequest() The VerifyAcctRequest works exactly as expected, but VerifyAuthRequest() will always return False.
I have defined the following Debug function in the source code in both AcctPacket(Packet) and AuthPacket(Packet):
For AuthPacket it get the following output, and it seems that self.authenticator is a unix timestamp, so that regardless of if the Radius secrets match it will never return true.
False {'hash': b'\xfa\x1c \xb1u\xcf\xa2}\xaa\r\xcb\xc8$&\xca\xef', 'auth': b' 1623322942'}
If I am to do the same with the HandleAcctPacket function I get the correct output, when the Radius secrets match this function will return True as expected.
True {'hash': b'\xd6p\xc8\x8e\x08\x82"\xe0\xe1\xe0\x9a\x85C#\x8f\x92', 'auth': b'\xd6p\xc8\x8e\x08\x82"\xe0\xe1\xe0\x9a\x85C#\x8f\x92',
It seems that on the VerifyAuthRequest function I am getting a unix timestamp as the self.authenticator and I cannot figure out why?
Wondering if you could assist me with this? Is there something that I need to add into my code in order to get the AuthPacket to work correctly. Or is this just a bug?
Any help would be appreciated :)