Project

General

Profile

Bug #1618

Captive portal: Invalid AVP value in Radius accounting packet

Added by Serge ALEXANDRE almost 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Captive Portal
Target version:
Start date:
06/24/2011
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Hello,

Using captive portal, with Radius authentication and accounting enabled, my server (tinyradius java lib) complains about malformed attribute value.
So, I launched Wireshark, and it seems there is effectivly a wrong attribute value. (I am no a Radius expert).
In accounting STOP packet, The NAS-Port attribute is of type Integer, and, as such should be of length=6 and in fact is of l=3, which is incorrect.

Frame 451: 232 bytes on wire (1856 bits), 232 bytes captured (1856 bits)
Ethernet II, Src: Vmware_d2:01:b6 (00:0c:29:d2:01:b6), Dst: Dell_68:e6:04 (b8:ac:6f:68:e6:04)
Internet Protocol, Src: 192.168.0.140 (192.168.0.140), Dst: 192.168.0.5 (192.168.0.5)
User Datagram Protocol, Src Port: 22796 (22796), Dst Port: radius-acct (1813)
Radius Protocol
    Code: Accounting-Request (4)
    Packet identifier: 0xf1 (241)
    Length: 190
    Authenticator: 6ac936e7ef0288e6fb62c89f9ef25ac6
    [The response to this request is in frame 452]
    Attribute Value Pairs
        AVP: l=6  t=NAS-IP-Address(4): 192.168.0.140
        AVP: l=21  t=NAS-Identifier(32): pfSense.localdomain
        AVP: l=4  t=User-Name(1): sa
        AVP: l=6  t=Acct-Status-Type(40): Stop(2)
        AVP: l=6  t=Acct-Session-Time(46): 43
        AVP: l=6  t=Acct-Authentic(45): RADIUS(1)
        AVP: l=6  t=Service-Type(6): Login(1)
        AVP: l=6  t=NAS-Port-Type(61): Ethernet(15)
        AVP:[l=3]  t=NAS-Port(5): 51
            NAS-Port: 51
        AVP: l=18  t=Acct-Session-Id(44): b7cafc4004ed6345
        AVP: l=6  t=Framed-IP-Address(Cool: 192.168.20.128
        AVP: l=15  t=Called-Station-Id(30): 192.168.0.140
        AVP: l=19  t=Calling-Station-Id(31): 00:0c:29:b7:fc:c9
        AVP: l=6  t=Acct-Input-Packets(47): 5
        AVP: l=6  t=Acct-Input-Octets(42): 701
        AVP: l=6  t=Acct-Input-Gigawords(52): 0
        AVP: l=6  t=Acct-Output-Packets(48): 4
        AVP: l=6  t=Acct-Output-Octets(43): 951
        AVP: l=6  t=Acct-Output-Gigawords(53): 0
        AVP: l=6  t=Acct-Session-Time(46): 43
        AVP: l=6  t=Acct-Terminate-Cause(49): NAS-Request(10)

Corresponding hexa dump:

0070  06 00 00 00 01 3d 06 00  00 00 0f[05 03 33]2c 12   .....=.. .....3,.

In all other packet types, this attribute is encoded properly, such as in Accounting START packet:

Frame 119: 181 bytes on wire (1448 bits), 181 bytes captured (1448 bits)
Ethernet II, Src: Vmware_d2:01:b6 (00:0c:29:d2:01:b6), Dst: Dell_68:e6:04 (b8:ac:6f:68:e6:04)
Internet Protocol, Src: 192.168.0.140 (192.168.0.140), Dst: 192.168.0.5 (192.168.0.5)
User Datagram Protocol, Src Port: 56404 (56404), Dst Port: radius-acct (1813)
Radius Protocol
    Code: Accounting-Request (4)
    Packet identifier: 0xf6 (246)
    Length: 139
    Authenticator: fb7f69fee8eebf252e73122c10af4c0f
    [The response to this request is in frame 120]
    Attribute Value Pairs
        AVP: l=6  t=NAS-IP-Address(4): 192.168.0.140
        AVP: l=21  t=NAS-Identifier(32): pfSense.localdomain
        AVP: l=4  t=User-Name(1): sa
        AVP: l=6  t=Acct-Status-Type(40): Start(1)
        AVP: l=6  t=Acct-Authentic(45): RADIUS(1)
        AVP: l=6  t=Service-Type(6): Login(1)
        AVP: l=6  t=NAS-Port-Type(61): Ethernet(15)
        AVP:[l=6]  t=NAS-Port(5): 3
            NAS-Port: 3
        AVP: l=18  t=Acct-Session-Id(44): b7cafc4004ed6345
        AVP: l=6  t=Framed-IP-Address(Cool: 192.168.20.128
        AVP: l=15  t=Called-Station-Id(30): 192.168.0.140
        AVP: l=19  t=Calling-Station-Id(31): 00:0c:29:b7:fc:c9

0070  06 00 00 00 0f[05 06 00  00 00 03]2c 12 62 37 63   ........ ...,.b7c

Associated revisions

Revision b451691f (diff)
Added by Ermal Luçi almost 8 years ago

Fixes #1618. Always convert the NAS_PORT value to int in php and pass the attribute type during encoding to guarantee that it is encoded as an integer.

Revision e6bd2312 (diff)
Added by Ermal Luçi almost 8 years ago

Fixes #1618. Always convert the NAS_PORT value to int in php and pass the attribute type during encoding to guarantee that it is encoded as an integer.

History

#1 Updated by Chris Buechler almost 8 years ago

  • Project changed from pfSense Packages to pfSense

#2 Updated by Chris Buechler almost 8 years ago

  • Category set to Captive Portal
  • Target version set to 2.0
  • Affected Version set to 2.0

#3 Updated by Ermal Luçi almost 8 years ago

  • Status changed from New to Feedback

This should be fixed in latest snapshots.

#4 Updated by Ermal Luçi almost 8 years ago

  • % Done changed from 0 to 100

#5 Updated by Ermal Luçi almost 8 years ago

#6 Updated by Chris Buechler almost 8 years ago

Serge: can you confirm this fix please?

#7 Updated by Chris Buechler almost 8 years ago

  • Status changed from Feedback to Resolved

confirmed fixed

Also available in: Atom PDF