commit 885cfb79edbc00d5a99dcea41ae4020ae088eb0a Author: Mario Fetka Date: Fri Sep 15 15:01:34 2017 +0200 Imported Upstream version 2.103+dfsg diff --git a/Changes b/Changes new file mode 100644 index 0000000..1d7d71b --- /dev/null +++ b/Changes @@ -0,0 +1,197 @@ +Revision history for Perl extension RADIUS. + +1.56 Fri Jun 8 09:55:35 VET 2007 + + * Yaroslav Bogomolov reported a problem when packing VSAs with + dictionaries with no VENDOR definitions (numeric VIDs). his + was fixed while preserving the intended behavior of having + ->vendor_num return undef on this case. Thanks Yaroslav! + Added a reg test for this. + + +1.55 Thu Apr 26 16:21:46 VET 2007 + * Darrian Hale reported that $p->unset_attr('Attribute', + $packet->attr('Attribute')) was b0rken due to the attribute + lookup using the "escaped" value instead of the raw value + returned by ->attr. Escaping was removed and a test was + added + + * Versions bumped to 1.55 as prior fixes were confirmed to + work - Release to CPAN + + Sun Apr 22 16:54:03 VET 2007 + * Fixed the VSA packer to accept a vendor-id and a vendor + name. This will help if similar bugs are still lurking + around. This was pointed to by Pedro as well + + Sat Apr 21 14:04:35 VET 2007 + * Fixed VSA packing bug pointed out by Pedro Cavaca. Parts of + Packet.pm expected to receive a numeric vendor id, others + expected the string name + + +1.54 Tue Jan 30 11:13:42 VET 2007 + * Added missing packet file to MANIFEST + * Fixed an innocuous warn() during make test + +1.53 Tue Jan 30 06:25:33 VET 2007 + * Packets with VSAs that couldn't be decoded caused an endless + loop. This has now been fixed by skipping over the b0rked + attribute, thus parsing as much of the packet as possible. A + warn() is issued + * The packet tests now fail if the decode causes a warn() - + This may be helpful in the future for catching subtle + errors, specially in the decoding of packets + * Added a new test packet for Cisco VPN 3000 - Thanks Luis + +1.52 Mon Jan 8 15:47:38 VET 2007 + * Added patch by Freman (consistend ->set_vsattr and + ->unset_vsattr) - Thanks Freman + * ->attr_slot deprecated. ->attr_slot_name and ->attr_slot_val + introduced + * Added documentation for those methods + * Added tests to verify correct operation of the overwrite and + slots functionality + * Multiple attributes (ie, multiple Proxy-State attributes) + are now correctly handled + * Include (untested) patch from j7 (Thanks) which allows for + multiple VSAs. We need some testing for this... + + Tue Jan 9 15:52:06 VET 2007 + * Added support for the packet decoding tests as well as + samples of common packets in a live production environment + * dictionary.base now replaces dictionary.orig + + Sun Jan 14 14:54:25 VET 2007 + * Added BroadSoft VSA dictionary supplied by j7 - Fixed typo + within it + * Extracted binary packet from the sample provided by j7 and + added standard packet decoding test + +1.51 Mon Nov 13 21:08:28 VET 2006 + * Improve the ->dump() and ->str_dump() in ::Packet + * Add the ->auth_*_verify() methods and tests + * Dictionaries can now use the vendor name everywhere + * Added all the dictionaries from Ethereal for completeness + * Shipped dictionaries were cleaned up. IMPORTANT: Legacy, + obsolete entries have been commented. Please review the + dictionary files or keep the ones currently in production + before installing. + * Added pseudo-support for ipv6addr, ifid and date types + * Limit the packet authenticator to 16 bytes + * Tagged attribue support is broken/incomplete - Need examples + to properly write tests and fill in missing functionality + * ->password() now accepts an optional attribute to work with + instead of the default 'User-Password' + +1.50 Mon Oct 23 15:43:20 VET 2006 + Applied patch by Chris that adds support for tagged + attributes. + Applied patch from Flavio, adding this: + * [Dictionary.pm] accept a new keyword in dictionary file, namely + "PACKET", that allows to define packet types + * [Dictionary.pm] these packet types default to the current + state-of-the-art according to + http://www.iana.org/assignments/radius-types + * [Dictionary.pm] the packet types can be accessed via ad-hoc + methods + * [Dictionary.pm] the constructor has been extended to accept + a list of dictionary files to load upon creation (instead of + a single one) + * [Packet.pm] hardcoded mapping hashes in pack() and unpack() + methods are now loaded from the dictionary + Bumped version to 1.50 in the .pm files. + +1.49 Wed Aug 9 11:57:52 VET 2006 + - Making dictionaries case-insensitive seems to breaks old + code in hard to debug ways. This decision was officially + reversed + - set_password now accepts an optional attribute argmuent, to + tell the code where to store the encripted password. Still + defaults to 'User-Password' + +1.46 Mon Jul 31 17:28:16 VET 2006 + - Dictionaries now can be merged with each other, as suggested + by Kevin Steves + - Accessors for dictionary entries now use lc() to match what + is done at parse time + - Dictionaries are now officially case-insensitive + - Various documentation improvements and updates + - Added code against bug in Alcatel 5620 SAM Release 3.0 + (Improper attribute type). Possibly helpful in other cases as + well + +1.45 Thu Oct 16 10:45:02 VET 2003 + - Added support for "octets" as requested by Alex Chen + - Improved / added tests. This now requires Test::More + - Understands the VENDOR syntax for FreeRadius + +1.44 Tue Jan 7 23:06:12 VET 2003 + - By default, tuples not in the dictionary are now ignored. + - Added ->show_unknown_entries() to issue warn()s for each unknown + tuple found in the packets. + +1.43 Thu Dec 20 15:36:42 GMT 2001 + Changes by Tony Mountifield + - added set_password method to generate client password correctly + - added unset_attr method to remove an attribute from a Packet + - added example-client.pl to demonstrate auth and acct + - Added User-Password (as per RFC 2138) both in the code and + in the dictionaries [There's some (broken) software that insists + in 'Password', so this is used unless 'User-Password' is present -lem] + - corrected syntax of the "Welcome, Larry" reply message example. + +1.42 Fri Jul 6 12:22:36 VET 2001 + - Fixed sobe warnings in the packet dump code. (Thanks to Kevin Payne). + +1.41 Fri May 11 10:54:19 EDT 2001 + Changes by Jim Harle (Thanks Jim! -lem) + - added 3com dictionary + - added example radius<->ldap server + - fixed examples to show correct module name + - made Digest::MD5 a prerequisite in Makefile.PL + Dictionary.pm changes + - allow hex and octal constants in dictionary file + - give more details about unknown vendors + Packet.pm changes + - use Digest::MD5 instead of MD5 (newer) + - distinguishes between garbled and unknown VSAs + - individual garbled/unknown VSAs only printed once + - make sure empty passwords don't cause undefined if run with -w + - cleaned up password length issues when running with Authen::Radius + - made indenting in code regular + Changes by lem + - Minor edits here and there + - Errors produced by Net::Radius::Packet are not print'ed but warn'ed + so that they can be catched with $SIG{__WARN__}. + - Added examples/tutorial.pl to show how to use some basic + functions. + - Added ->str_dump to provide the output of a packet dump in + a string. + +1.31 Tue 20 Feb 21:05:00 VET 2001 + - Fixed test.pl so that make test works + - Added mods suggested by Quan Choi regarding the packing + of VSAs with 3Com VSAs + +1.20 Tue 09 Nov 17:09:00 VET 1999 + - Added modifications sent by Ian Smith + to the VSA code. This allows VSAs to be sent and understood + properly by the USR/3COM Total Control family. This has not + been individually tested. + +1.10 Sat 23 Jan 19:52:00 VET 1999 + - VSAs now can appear multiple times in a packet. This changes + slightly the interface of the VSAs accessors + +1.10 Fri 22 Jan 12:31:00 VET 1999 + - Added 'date' attribute type. This is used by certain + dictionaries + - Garbled packets no longer attempt to call an undef + code reference in unpack() + - Added some suport for Vendor-Specific attributes + +1.00 Fri 22 Aug 09:22:16 EDT 1997 + - first released version + + diff --git a/MANIFEST b/MANIFEST new file mode 100644 index 0000000..fca22e1 --- /dev/null +++ b/MANIFEST @@ -0,0 +1,124 @@ +build-stamp +Changes +contrib/bin2packet +contrib/rad-dump +dicts/dictionary +dicts/dictionary.3com +dicts/dictionary.3com-o +dicts/dictionary.3gpp +dicts/dictionary.3gpp2 +dicts/dictionary.acc +dicts/dictionary.alcatel +dicts/dictionary.alteon +dicts/dictionary.altiga +dicts/dictionary.aptis +dicts/dictionary.ascend +dicts/dictionary.base +dicts/dictionary.bay +dicts/dictionary.bintec +dicts/dictionary.bristol +dicts/dictionary.broadsoft +dicts/dictionary.cablelabs +dicts/dictionary.cabletron +dicts/dictionary.cisco +dicts/dictionary.cisco.bbsm +dicts/dictionary.cisco.vpn3000 +dicts/dictionary.cisco.vpn5000 +dicts/dictionary.colubris +dicts/dictionary.columbia_university +dicts/dictionary.compat +dicts/dictionary.cosine +dicts/dictionary.erx +dicts/dictionary.extreme +dicts/dictionary.foundry +dicts/dictionary.freeradius +dicts/dictionary.gandalf +dicts/dictionary.garderos +dicts/dictionary.gemtek +dicts/dictionary.huawei +dicts/dictionary.itk +dicts/dictionary.juniper +dicts/dictionary.karlnet +dicts/dictionary.livingston +dicts/dictionary.localweb +dicts/dictionary.merit +dicts/dictionary.microsoft +dicts/dictionary.mikrotik +dicts/dictionary.navini +dicts/dictionary.netscreen +dicts/dictionary.nokia +dicts/dictionary.nomadix +dicts/dictionary.propel +dicts/dictionary.quintum +dicts/dictionary.redback +dicts/dictionary.redcreek +dicts/dictionary.shasta +dicts/dictionary.shiva +dicts/dictionary.sonicwall +dicts/dictionary.springtide +dicts/dictionary.t_systems_nova +dicts/dictionary.telebit +dicts/dictionary.trapeze +dicts/dictionary.tunnel +dicts/dictionary.unisphere +dicts/dictionary.unix +dicts/dictionary.usr +dicts/dictionary.valemount +dicts/dictionary.versanet +dicts/dictionary.wispr +dicts/dictionary.xedia +docs/rfc2865.txt +docs/rfc2866.txt +docs/rfc2869.txt +docs/rfc2882.txt +docs/rfc3575.txt +docs/rfc3576.txt +examples/example-client.pl +examples/example-menu.pl +examples/example-unix.pl +examples/example-yes.pl +examples/radius2ldap.pl +examples/tutorial.pl +install-stamp +Makefile.PL +MANIFEST This list of files +MANIFEST.SKIP +packets/broadsoft-areq-00.p +packets/cisco-acs-ar-01.p +packets/cisco-acs-ar-02.p +packets/cisco-acs-ar-03.p +packets/cisco-ios-12.2.18-01.p +packets/cisco-ios-12.2.18-02.p +packets/cisco-vpn3k-ar.p +packets/huawei-me60-accreq-01.p +packets/huawei-me60-acctreq-01.p +packets/huawei-me60-acctreq-02.p +packets/README +packets/rsa-aa-01.p +packets/rsa-aa-02.p +packets/rsa-ac-01.p +packets/rsa-ar-01.p +Radius/Dictionary.pm +Radius/Packet.pm +README +README.3COM +README.broken +README.debian +README.packets +README.server +README.VSA +t/00-load.t +t/00-pod.t +t/attrdict.t +t/attrover.t +t/attrslot.t +t/attrunset.t +t/auth.t +t/basedict.t +t/bundled.t +t/dictover.t +t/dump.t +t/packdict.t +t/packets.t +t/vsa.t +META.yml Module meta-data (added by MakeMaker) diff --git a/MANIFEST.SKIP b/MANIFEST.SKIP new file mode 100644 index 0000000..73cbd48 --- /dev/null +++ b/MANIFEST.SKIP @@ -0,0 +1,32 @@ +^\.\.? +^Build$ +^_build/ +^blib/ +^blibdirs +^debian/ +Makefile$ +Makefile\.[a-z]+$ +pm_to_blib +CVS/.* +\.svn +\.cvs +,v$ +^tmp/ +\.old$ +\.log$ +\.bak$ +\.tmp$ +\.xsc$ +~$ +^# +\.shar$ +\.tar$ +\.tgz$ +\.tar\.gz$ +\.zip$ +dict\.\d+$ +_uu$ +\.orig$ +\.rej$ +\.rej\.\d+$ + diff --git a/META.yml b/META.yml new file mode 100644 index 0000000..f1b661c --- /dev/null +++ b/META.yml @@ -0,0 +1,15 @@ +--- #YAML:1.0 +name: Net-Radius +version: 2.103 +abstract: ~ +license: ~ +author: ~ +generated_by: ExtUtils::MakeMaker version 6.42 +distribution_type: module +requires: + Digest::MD5: 0 + Test::More: 0 + Test::Warn: 0 +meta-spec: + url: http://module-build.sourceforge.net/META-spec-v1.3.html + version: 1.3 diff --git a/Makefile.PL b/Makefile.PL new file mode 100644 index 0000000..cc2d55e --- /dev/null +++ b/Makefile.PL @@ -0,0 +1,25 @@ +use ExtUtils::MakeMaker; + +my $version = (split(m/:/, qx{svnversion 2>/dev/null}, 2))[0]; +$version = sprintf("%d", (q$Revision: 102 $ =~ /\d+/g)[0]) + unless $version; +$version /= 1000; +$version += 2; +$version = sprintf("%0.3f", $version); + +# See lib/ExtUtils/MakeMaker.pm for details of how to influence +# the contents of the Makefile that is written. +WriteMakefile( + 'NAME' => 'Net::Radius', + VERSION => $version, + 'PM' => { + map { ("$_.pm" => "\$(INST_LIBDIR)/$_.pm") } + qw(Radius/Packet Radius/Dictionary) + }, + PREREQ_PM => { + 'Digest::MD5' => 0, + 'Test::More' => 0, + 'Test::Warn' => 0, + }, + 'dist' => {COMPRESS => 'gzip -9f', SUFFIX => 'gz'} +); diff --git a/README b/README new file mode 100644 index 0000000..cc1d127 --- /dev/null +++ b/README @@ -0,0 +1,119 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + + + +Net::Radius Modules +=================== + +The modules included here provide an interface to the RADIUS +protocol. It consists of the following modules: + +Net::Radius::Packet - Deals with RADIUS packets +Net::Radius::Dictionary - Deals with RADIUS dictionaries + +This module is essentially the original RADIUS-1.0 distribution by +Christopher Masto plus a number of changes and fixes by Luis Muñoz and +Ian Smith. + +It has been changed so that it better fits the CPAN namespace. See the +other README.* files in this archive for additional information. + +The installation follows the standard protocol... + +$ perl Makefile.PL +$ make +$ make test +$ make install + +The ./examples directory contain a number of simple examples. + +This code supports the use of vendor specific attributes. This +type of attribute is defined in RFC-2138 and is used to support +'propietary' extensions on top of the base RADIUS specification. + +There are two new kinds of entries in the RADIUS dictionary in +order to specify VSAs. + +VENDORATTR + +This entry is used to create a new kind of vendor attribute, +such as in this example + +VENDORATTR 9 cisco-avpair 1 string + +This creates a new vendor-specific attribute for vendor 9 (Cisco +Systems), with name 'cisco-avpair'. This attribute is identified by +numeric id '1' and is associated with a string value. + +The second type of entry allows the specification of named values. +The following is an hypotetical example of named value entry. + +VENDORATTR 9 cisco-enum 254 integer +VENDORVALUE 9 cisco-enum Value-1 1 +VENDORVALUE 9 cisco-enum Value-2 2 +VENDORVALUE 9 cisco-enum Value-3 3 + +Alternatively, you can use the widely deployed FreeRadius dictionary +files' syntax of: + +VENDOR Cisco 9 +ATTRIBUTE Cisco-AVPair 1 string Cisco + +About the stability, this code has been in very active use at a +largish ISP with millions of users using a variety of network +equipment with impressive results. It has been succesfully used under +FreeBSD, Linux, Solaris and Tru64. + +There's copious support material along with this distribution. Please +do take a look. + +DO YOU WANT TO THANK ME? + +If you consider this a valuable contribution, there is a web page +where you can express your gratitude. Please see + + http://mipagina.cantv.net/lem/thanks-en.html (English) + http://mipagina.cantv.net/lem/thanks-es.html (Spanish) + +SECURITY CONSIDERATIONS + +I have no control on the machanisms involved in the storage or +transport of this distribution. This means that I cannot guarantee +that the distribution you have in your hands is indeed, the same +distribution I packed and uploaded. + +Along the distribution file, you should have a file with the extension +".asc". This contains a GPG "detached signature" that makes it +impossible for anybody to alter this distribution. If security is of +any concern to you, by all means verify the signature of this file and +contact the author if any discrepancy is detected. + +You can find more information about this at the following URL + + http://mipagina.cantv.net/lem/gpg/ + +COPYRIGHT AND LICENSE + +Original work (c) Christopher Masto. Changes (c) 2002,2003 Luis +E. Muñoz . + +This software can be used under the same terms as perl itself. It also +carries the same warranties. + +Please send bug reports (or patches) as well as feedback and +suggestions to + +luismunoz@cpan.org + +When submitting bugs, it is very important that you include the +relevant information for reproducing the bug. Packet dumps are most +useful. + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.2.1 (Darwin) + +iD8DBQFEznquQyDWGRI/hhARAq37AJ4nwkdiU1eqgpTObZ0G2QZ0jvQU2QCgkR28 +nf3syw7TJsGGyrr/KSTcyfU= +=Of85 +-----END PGP SIGNATURE----- diff --git a/README.3COM b/README.3COM new file mode 100644 index 0000000..fc78e18 --- /dev/null +++ b/README.3COM @@ -0,0 +1,28 @@ + +Feb 21 2001: + +Finally the VSA packing/unpacking works with 3Com equipment. Ian Smith +contributed code to unpack VSAs coming from the 3Com. Quan Choi +reported useful information regarding the encoding of the +VSAs. According to Quan, 3Com packs the VSAs according to the +following structure: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Vendor-Id + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Vendor-Id (cont) | Sub-Attribute Type + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Sub-Attribute Type | Payload... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +Which is fine, as RFC-2138 does not mandate any particular structure +for the Vendor-Specific payload. + +Thanks to both Ian and Quan for the help. + +luismunoz@cpan.org + +$Id: README.3COM 7 2003-01-08 03:42:41Z lem $ + diff --git a/README.VSA b/README.VSA new file mode 100644 index 0000000..967e7c9 --- /dev/null +++ b/README.VSA @@ -0,0 +1,41 @@ + +Vendor-Specific Attribute support + +This code supports the use of vendor specific attributes. This +type of attribute is defined in RFC-2138 and is used to support +'propietary' extensions on top of the base RADIUS specification. + +There are two new kinds of entries in the RADIUS dictionary in +order to specify VSAs. + +VENDORATTR + +This entry is used to create a new kind of vendor attribute, +such as in this example + +VENDORATTR 9 cisco-avpair 1 string + +This creates a new vendor-specific attribute for vendor 9 (Cisco +Systems), with name 'cisco-avpair'. This attribute is identified by +numeric id '1' and is associated with a string value. + +The second type of entry allows the specification of named values. +The following is an hypotetical example of named value entry. + +VENDORATTR 9 cisco-enum 254 integer +VENDORVALUE 9 cisco-enum Value-1 1 +VENDORVALUE 9 cisco-enum Value-2 2 +VENDORVALUE 9 cisco-enum Value-3 3 + +Questions and comments about the package can be sent to the +author of the module, Christopher Masto . + +Questions and comments about the VSA support can be directed +to the author of this part of the code, Luis E. Muñoz + + +Ian Smith contributed code for 3COM +VSAs. + +$Id: README.VSA 7 2003-01-08 03:42:41Z lem $ + diff --git a/README.broken b/README.broken new file mode 100644 index 0000000..07d248f --- /dev/null +++ b/README.broken @@ -0,0 +1,29 @@ + +* NAS-IP-Address and other "ipaddr" encoding inconsistencies + + I've confirmed some reports that the Alcatel 5620 SAM Release 3.0 + and possibly other endpoints from this or other vendors, are + improperly encoding the IP address in the NAS-IP-Address tuple. The + relevant RFCs state that NAS-IP-Address should be encoded as four + octets, MSB. However, this device seems to be packing the argument + as a plain string. + + This error may manifest itself as a parameter length mismatch with + inet_ntoa() in earlier versions of Net::Radius. A packet dump + exhibiting this problem looks like this... + + $ tcpdump -vvv -nr tcpdump-radius.out + reading from file tcpdump-radius.out, link-type EN10MB (Ethernet) + 16:13:29.540605 IP (tos 0x0, ttl 250, id 41011, offset 0, flags + [DF], length: 108) 10.120.156.15.33452 > 161.196.109.5.1645: RADIUS, + length: 80 + Access Request (1), id: 0x78, Authenticator: ... + NAS IP Address Attribute (4), length: 15, Value: ERROR: length 13 != 4 + 0x0000: 3130 2e31 3230 2e31 3536 2e31 35 + + Note the error pointed out by tcpdump, referring to the length of + the attribute. + + In order to improve interoperability, I've included code that allows + decoding of these packets, by simply returning the enclosed string + "as is" to the calling script. diff --git a/README.debian b/README.debian new file mode 100644 index 0000000..6ef4d8d --- /dev/null +++ b/README.debian @@ -0,0 +1,11 @@ + +On Debian systems, all the bundled dictionaries are placed in +/usr/share/libnet-radius-perl/dicts. + +Documentation is placed in /usr/share/doc/libnet-radius-perl/ as per +the Debian Policy. + +For other distributions or under manual installation, you may need to +locate those files manually according to your needs. + +Luis E. Muñoz / 2009-08-25 \ No newline at end of file diff --git a/README.packets b/README.packets new file mode 100644 index 0000000..67882e2 --- /dev/null +++ b/README.packets @@ -0,0 +1,100 @@ + +As of version 1.52, Net::Radius includes the "packet tests". Those +packet tests consist of RADIUS packets captured in various production +environments and passed through Net::Radius, to see how it fares with +real-world data. + +Ideally, every bug report about Net::Radius related to the dialog with +a given network device, should include a proper packet capture that +allows for the reproduction of the problem. This also allows the +implementation of regression tests that will insure that packets will +be decoded properly in later versions of this distribution. + +To be useful, a packet capture must include the complete (binary) RADIUS +packet(s) in one or more files. Also, the following information would +be of help: + +* RADIUS Secret and Auhenticator, if applicable and known + +* Name, version and relevant information about the device producing + the packet + +* Relevant dictionary entries to properly decode the packet + attributes. This is specially important with Vendor-Specific + Attributes + +* If you're including more than a single packet, please specify what + each one should contain + +If the packet dump is being provided as part of a bug report, a +concise explanation about why the Net::Radius handling of the packet +is incorrect and what the correct or expected result is. If you have +references to document this further, please provide them as +well. Packet dumps from other RADIUS server doing "the right thing" +are worth extra points. + +If you want to contribute with the production of more packet tests, +please consider the following: + +* Devices not currently included in the packet tests are + welcome. Exotic, old or obsoleted devices are even more welcome (Any + PortMaster 2 or 3 out there?) + +* Ideally, try to provide at least one sample packet of each type that + your device is able to send (ie, Access-Request, Accounting-Request, + etc) + +* Packet dumps will be copied straight into the distribution - You're + responsible for safeguarding any private or restricted information + on the packets, such as the RADIUS secret, user names or passwords, + IP addresses, etc. + +HOW TO PRODUCE A PACKET DUMP + +Packet dumps can be produced with any tool whose output is supported +by wireshark (formerly, ethereal), which is then used to extract the +packet payload and build the corresponding test. My recommendation is +to use the tcpdump utility, available in many operating systems. There +are other compatible utilities that can store captured packets as raw +binary files, which can be compressed and sent via email or attached +to a bug report. + +By way of example, let's say that the RADIUS server is located at IP +address 10.0.0.1, serving requests in the UDP ports 1812 and 1813 for +authentication and accounting respectively, while the device whose +dialog we want to capture, uses IP address 10.0.0.5. Packets from the +device to the server could be captured using the following command (in +a single line): + +tcpdump -s 0 -c 1 -w radius.dump -e 'src host 10.0.0.5 and dst host + 10.0.0.1 and udp and portrange 1812-1813' + +Of course, the machine must have an interface connected so that +traffic can be sniffed, whose name may have to be specified. Note that +only one packet is being captured (-c option) although you could +capture more that this. + +Likewise, response packets from the RADIUS server to the device can be +captured with the following command: + +tcpdump -s 0 -c 1 -w radius.dump -e 'src host 10.0.0.1 and dst host + 10.0.0.5 and udp and portrange 1812-1813' + +tcpdump has a nice and extensive manual page that explains all of its +options. Please take a look at it so that you understand independently +what the incantations I've provided above actually do or conversely, +whether there is something else you may need to do in your environment +to acurately record the information you want. + +IMPORTANT: Remember that full packets are needed for proper +testing. Make sure your captures include all of the packet +payload. Including only the packet headers make for a very poor test +input. In the examples above, the -s option takes care of this. + +The commands disussed above will capure packets to/from the relevant +devices, leavig them in the file radius.dump that you can now +send. Remember to record and include the useful information mentioned +in the first part of these instructions. + +If you want to provide the source file for the tests directly, please +take a look at the file packets/README diff --git a/README.server b/README.server new file mode 100644 index 0000000..be65eb4 --- /dev/null +++ b/README.server @@ -0,0 +1,12 @@ +This distribution includes a few RADIUS servers with different degrees +if functionality in the examples directory. If you're considering +writing a RADIUS server, take a look at Net::Radius::Server before +starting. + +Net::Radius::Server is an extensible framework allowing the creation +of RADIUS servers with very little programming. Complex tasks are +easily accomplished by means of a pipeline architecture in which each +request is matched and then acted upon by Perl code. + +Classes implementing common tasks are already included. + diff --git a/Radius/Dictionary.pm b/Radius/Dictionary.pm new file mode 100644 index 0000000..dddfd1a --- /dev/null +++ b/Radius/Dictionary.pm @@ -0,0 +1,386 @@ +package Net::Radius::Dictionary; + +use strict; +use warnings; +use vars qw($VERSION); + +# $Id: Dictionary.pm 80 2007-04-26 20:20:02Z lem $ + +$VERSION = '1.55'; + +sub new { + my $class = shift; + my $self = { + rvsattr => {}, + vsattr => {}, + vsaval => {}, + rvsaval => {}, + attr => {}, + rattr => {}, + val => {}, + rval => {}, + vendors => {}, + packet => undef, # Fall back to default + rpacket => undef, # Fall back to default + }; + bless $self, $class; + $self->readfile($_) for @_; # Read all given dictionaries + return $self; +} + +sub readfile { + my ($self, $filename) = @_; + + open DICT, "<$filename"; + + while (defined(my $l = )) { + next if $l =~ /^\#/; + next unless my @l = split /\s+/, $l; + + if ($l[0] =~ m/^vendor$/i) + { + if (defined $l[1] and defined $l[2] and $l[2] =~ /^[xo0-9]+$/) + { + if (substr($l[2],0,1) eq "0") { #allow hex or octal + my $num = lc($l[2]); + $num =~ s/^0b//; + $l[2] = oct($num); + } + $self->{vendors}->{$l[1]} = $l[2]; + } + else + { + warn "Garbled VENDOR line $l\n"; + } + } + elsif ($l[0] =~ m/^attribute$/i) + { + if (@l == 4) + { + $self->{attr}->{$l[1]} = [@l[2,3]]; + $self->{rattr}->{$l[2]} = [@l[1,3]]; + } + elsif (@l == 5) # VENDORATTR + { + if (substr($l[2],0,1) eq "0") { #allow hex or octal + my $num = lc($l[2]); + $num =~ s/^0b//; + $l[2] = oct($num); + } + if (exists $self->{vendors}->{$l[4]}) + { + $self->{vsattr}->{$self->{vendors}->{$l[4]}}->{$l[1]} + = [@l[2, 3]]; + $self->{rvsattr}->{$self->{vendors}->{$l[4]}}->{$l[2]} + = [@l[1, 3]]; + } + elsif ($l[4] =~ m/^\d+$/) + { + $self->{vsattr}->{$l[4]}->{$l[1]} = [@l[2, 3]]; + $self->{rvsattr}->{$l[4]}->{$l[2]} = [@l[1, 3]]; + } + else + { + warn "Warning: Unknown vendor $l[4]\n"; + } + } + } + elsif ($l[0] =~ m/^value$/i) { + if (exists $self->{attr}->{$l[1]}) { + $self->{val}->{$self->{attr}->{$l[1]}->[0]}->{$l[2]} = $l[3]; + $self->{rval}->{$self->{attr}->{$l[1]}->[0]}->{$l[3]} = $l[2]; + } + else { + for my $v (keys %{$self->{vsattr}}) + { + if (defined $self->{vsattr}->{$v}->{$l[1]}) + { + $self->{vsaval}->{$v}->{$self->{vsattr}->{$v} + ->{$l[1]}->[0]}->{$l[2]} + = $l[3]; + $self->{rvsaval}->{$v}->{$self->{vsattr}->{$v} + ->{$l[1]}->[0]}->{$l[3]} + = $l[2]; + } + } + } + } + elsif ($l[0] =~ m/^vendorattr$/i) { + if (substr($l[3],0,1) eq "0") { #allow hex or octal + my $num = lc($l[3]); + $num =~ s/^0b//; + $l[3] = oct($num); + } + if (exists $self->{vendors}->{$l[1]}) + { + $self->{vsattr}->{$self->{vendors}->{$l[1]}}->{$l[2]} + = [@l[3, 4]]; + $self->{rvsattr}->{$self->{vendors}->{$l[1]}}->{$l[3]} + = [@l[2, 4]]; + } + elsif ($l[1] =~ m/^\d+$/) + { + $self->{vsattr}->{$l[1]}->{$l[2]} = [@l[3, 4]]; + $self->{rvsattr}->{$l[1]}->{$l[3]} = [@l[2, 4]]; + } + else + { + warn "Warning: Unknown vendor $l[1]\n"; + } + } + elsif ($l[0] =~ m/^vendorvalue$/i) { + if (substr($l[4],0,1) eq "0") + { #allow hex or octal + my $num = lc($l[4]); + $num =~ s/^0b//; + $l[4] = oct($num); + } + if (exists $self->{vendors}->{$l[1]}) + { + $self->{vsaval}->{$self->{vendors}->{$l[1]}} + ->{$self->{vsattr}->{$self->{vendors}->{$l[1]}} + ->{$l[2]}->[0]}->{$l[3]} = $l[4]; + $self->{rvsaval}->{$self->{vendors}->{$l[1]}} + ->{$self->{vsattr}->{$self->{vendors}->{$l[1]}} + ->{$l[2]}->[0]}->{$l[4]} = $l[3]; + } + elsif ($l[1] =~ m/^\d+$/) + { + $self->{vsaval}->{$l[1]}->{$self->{vsattr}->{$l[1]}->{$l[2]} + ->[0]}->{$l[3]} = $l[4]; + $self->{rvsaval}->{$l[1]}->{$self->{vsattr}->{$l[1]}->{$l[2]} + ->[0]}->{$l[4]} = $l[3]; + } + else { + warn "Warning: $filename contains vendor value for ", + "unknown vendor attribute - ignored ", + "\"$l[1]\"\n $l"; + } + } + elsif (lc($l[0]) eq 'packet') { + my ($name, $value) = @l[1,2]; + $self->{packet}{$name} = $value; + $self->{rpacket}{$value} = $name; + } + else { + warn "Warning: Weird dictionary line: $l\n"; + } + } + close DICT; +} + +# Accessors for standard attributes + +sub vendor_num { $_[0]->{vendors}->{$_[1]}; } +sub attr_num { $_[0]->{attr}->{$_[1]}->[0]; } +sub attr_type { $_[0]->{attr}->{$_[1]}->[1]; } +sub attr_name { $_[0]->{rattr}->{$_[1]}->[0]; } +sub attr_numtype { $_[0]->{rattr}->{$_[1]}->[1]; } +sub attr_has_val { $_[0]->{val}->{$_[1]}; } +sub val_has_name { $_[0]->{rval}->{$_[1]}; } +sub val_num { $_[0]->{val}->{$_[1]}->{$_[2]}; } +sub val_name { $_[0]->{rval}->{$_[1]}->{$_[2]}; } +sub val_tag { $_[0]->{val}->{$_[1]}->{$_[3]}; } + +# Accessors for Vendor-Specific Attributes + +sub vsattr_num { $_[0]->{vsattr}->{$_[1]}->{$_[2]}->[0]; } +sub vsattr_type { $_[0]->{vsattr}->{$_[1]}->{$_[2]}->[1]; } +sub vsattr_name { $_[0]->{rvsattr}->{$_[1]}->{$_[2]}->[0]; } +sub vsattr_numtype { $_[0]->{rvsattr}->{$_[1]}->{$_[2]}->[1]; } +sub vsattr_has_val { $_[0]->{vsaval}->{$_[1]}->{$_[2]}; } +sub vsaval_has_name { $_[0]->{rvsaval}->{$_[1]}->{$_[2]}; } +sub vsaval_has_tval { $_[0]->{vsaval}->{$_[1]}->{$_[2]}->[0]; } +sub vsaval_has_tag { $_[0]->{vsaval}->{$_[1]}->{$_[2]}->[1]; } +sub vsaval_num { $_[0]->{vsaval}->{$_[1]}->{$_[2]}->{$_[3]}; } +sub vsaval_name { $_[0]->{rvsaval}->{$_[1]}->{$_[2]}->{$_[3]}; } + +# Accessors for packet types. Fall-back to defaults if the case. + +# Defaults taken from http://www.iana.org/assignments/radius-types +# as of Oct 21, 2006 +my %default_packets = ( + 'Access-Request' => 1, # [RFC2865] + 'Access-Accept' => 2, # [RFC2865] + 'Access-Reject' => 3, # [RFC2865] + 'Accounting-Request' => 4, # [RFC2865] + 'Accounting-Response' => 5, # [RFC2865] + 'Accounting-Status' => 6, # [RFC2882] (now Interim Accounting) + 'Interim-Accounting' => 6, # see previous note + 'Password-Request' => 7, # [RFC2882] + 'Password-Ack' => 8, # [RFC2882] + 'Password-Reject' => 9, # [RFC2882] + 'Accounting-Message' => 10, # [RFC2882] + 'Access-Challenge' => 11, # [RFC2865] + 'Status-Server' => 12, # (experimental) [RFC2865] + 'Status-Client' => 13, # (experimental) [RFC2865] + 'Resource-Free-Request' => 21, # [RFC2882] + 'Resource-Free-Response' => 22, # [RFC2882] + 'Resource-Query-Request' => 23, # [RFC2882] + 'Resource-Query-Response' => 24, # [RFC2882] + 'Alternate-Resource-Reclaim-Request' => 25, # [RFC2882] + 'NAS-Reboot-Request' => 26, # [RFC2882] + 'NAS-Reboot-Response' => 27, # [RFC2882] + # 28 Reserved + 'Next-Passcode' => 29, # [RFC2882] + 'New-Pin' => 30, # [RFC2882] + 'Terminate-Session' => 31, # [RFC2882] + 'Password-Expired' => 32, # [RFC2882] + 'Event-Request' => 33, # [RFC2882] + 'Event-Response' => 34, # [RFC2882] + 'Disconnect-Request' => 40, # [RFC3575] + 'Disconnect-ACK' => 41, # [RFC3575] + 'Disconnect-NAK' => 42, # [RFC3575] + 'CoA-Request' => 43, # [RFC3575] + 'CoA-ACK' => 44, # [RFC3575] + 'CoA-NAK' => 45, # [RFC3575] + 'IP-Address-Allocate' => 50, # [RFC2882] + 'IP-Address-Release' => 51, # [RFC2882] + # 250-253 Experimental Use + # 254 Reserved + # 255 Reserved [RFC2865] +); + +# Reverse defaults. Remember that code #6 has a double mapping, force +# to Interim-Accouting +my %default_rpackets + = map { $default_packets{$_} => $_ } keys %default_packets; +$default_rpackets{6} = 'Interim-Accounting'; + +# Get full hashes +sub packet_numbers { %{ $_[0]->{packet} || \%default_packets } } +sub packet_names { %{ $_[0]->{rpacket} || \%default_rpackets }; } + +# Single resolution, I'm taking care of avoiding auto-vivification +sub packet_hasname { + my $href = $_[0]->{packet} || \%default_packets; + my $ok = exists $href->{$_[1]}; + return $ok unless wantarray; + # return both answer and the resolution + return ($ok, $ok ? $href->{$_[1]} : undef); +} + +sub packet_hasnum { + my $href = $_[0]->{rpacket} || \%default_rpackets; + my $ok = exists $href->{$_[1]}; + return $ok unless wantarray; + # return both answer and the resolution + return ($ok, $ok ? $href->{$_[1]} : undef); +} + +# Note: crossed, as it might not be immediately evident +sub packet_num { ($_[0]->packet_hasname($_[1]))[1]; } +sub packet_name { ($_[0]->packet_hasnum($_[1]))[1]; } + +1; +__END__ + +=head1 NAME + +Net::Radius::Dictionary - RADIUS dictionary parser + +=head1 SYNOPSIS + + use Net::Radius::Dictionary; + + my $dict = new Net::Radius::Dictionary "/etc/radius/dictionary"; + $dict->readfile("/some/other/file"); + my $num = $dict->attr_num('User-Name'); + my $name = $dict->attr_name(1); + my $vsa_num = $dict->vsattr_num(9, 'cisco-avpair'); + my $vsa_name = $dict->vsattr_name(9, 1); + +=head1 DESCRIPTION + +This is a simple module that reads a RADIUS dictionary file and +parses it, allowing conversion between dictionary names and numbers. +Vendor-Specific attributes are supported in a way consistent to the +standards. + +A few earlier versions of this module attempted to make dictionaries +case-insensitive. This proved to be a very bad decision. From this +version on, this tendency is reverted: Dictionaries and its contents +are to be case-sensitive to prevent random, hard to debug failures in +production code. + +=head2 METHODS + +=over + +=item B + +Returns a new instance of a Net::Radius::Dictionary object. This +object will have no attributes defined, as expected. + +If given an (optional) list of filenames, it calls I for you +for all of them, in the given order. + +=item B<-Ereadfile($dict_file)> + +Parses a dictionary file and learns the mappings to use. It can be +called multiple times for the same object. The result will be that new +entries will override older ones, thus you could load a default +dictionary and then have a smaller dictionary that override specific +entries. + +=item B<-Evendor_num($vendorname)> + +Return the vendor number for the given vendor name. + +=item B<-Eattr_num($attrname)> + +Returns the number of the named attribute. + +=item B<-Eattr_type($attrname)> + +Returns the type (I, I, I, or I