Uploaded image for project: 'SEBA'
  1. SEBA
  2. SEBA-805

Message-Authenticator validation missing for Radius Response in ONOS AAA App

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: ONOS & Apps
    • Labels:

      Description

      As per RFC 2869 Section 5.14 describing Message-Authenticator attribute, the Request Authenticator header value should be used for generation of HMAC-MD5 hash for both Radius Access-request (client to server) and Radius Access-Challenge/Access-Accept/Access-Reject response (server to client). However, there is a flaw/missing part in RADIUS.checkMessageAuthenticator() method of base RADIUS implementation used in ONOS AAA application, which works fine only for Radius Request as it uses current value of Authenticator header for HMAC-MD5 calculation. This does not work correctly for validating Message-Authenticator attribute received in Radius Response (Access-Challenge/Accept/Reject) received by AAA application because the earlier sent value of Authentication header (not the current one received in Response) should be used for HMAC-MD5 calculation. This is causing failure of Message Authentication check for each Radius response and its counter is increasing everytime. Fix the issue by using the Request Authenticator value saved in State Machine for this check.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              vijaykumar Vijaykumar Kushwaha
              Reporter:
              vijaykumar Vijaykumar Kushwaha
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes