Posted on 2003-11-25 14:18:03, modified on 2006-01-09 16:29:21
Tags: Networking, Rant
There is an old joke: The great thing about standards is there are so many to choose from.. This log is not about that but more about the point that if you stick to a standard you should implement it properly.
Comindico is one of the australian providers for dialin services. If you are an ISP the workflow goes like this: An user dials in to a Comindico terminal server, that terminal server asks the Comindico radius server for authentication, that radius server asks your radius server for authentication and the yes or no goes back the whole way to the terminal server which either lets you in or disconnects you. Works fine in theory, and mostly in real life too.
Your radius server can give more information to the Comindico radius server, for example an IP address and subnet mask. An maximum session time limit and your DNS servers. It all works fine, as long as you keep in mind that you take the right attributes and dictionary.
Comindico says "Please use Ascend-Client-Primary-DNS and Ascend-Client-Secondary-DNS for this". They are defined in the Ascend dictionary (number 529) as attributes number 135 and 136.
Except in the radius server from Comindico, there they are in the default dictionary.
With the result that their broken radius doesn't understand my perfectly legal answer with all the information in it. And I have to put these attributes in my default dictionary, where they will be overwritten the moment I update my software and the whole system will come apart if the IANA ever approves attributes 135 and 136 in the default dictionary.
Moral of the story: If you use an open standard, use it the way it was intended to be and don't invite your own wrapper around it.
This whole story wouldn't have been here if I wasn't reminded about this whole drama by the move to a new ADSL provider which is nothing more or less than a reseller of the Comindico ADSL services. Once we finally had the authentication of our users working, we couldn't get the DNS servers configured correctly because they haven't figured out the story above yet. If ever.
Standard compliant radius packet:
13:30:56.513559 172.16.1.10.1812 > 192.168.1.14.4738: rad-access-accept 62 [id 68] Attr[ Framed_ipaddr{203.111.122.2} Framed_ipnet{255.255.255.255} Vendor_specific{........X.} Vendor_specific{........X.} Session_timeout{168:00:00 hours} ] 0x0000 4500 005a bba3 0000 3f11 b8ae dab9 580a E..Z....?.....X. 0x0010 cb6f 090e 0714 1282 0046 0eb6 0244 003e .o.......F...D.> 0x0020 6224 b0bb d92e 341e 14dd e2c2 b0ce abde b$....4......... 0x0030 0806 cb6f 7a02 0906 ffff ffff 1a0c 0000 ...oz........... 0x0040 0211 8806 dab9 5801 1a0c 0000 0211 8706 ......X......... 0x0050 dab9 580e 1b06 0009 3a80 ..X.....:.
Comindico compliant radius packet:
13:28:51.958102 172.16.1.10.1812 > 192.168.1.14.4738: rad-access-accept 50 [id 67] Attr[ Framed_ipaddr{203.111.122.2} Framed_ipnet{255.255.255.255}#136#135 Session_timeout{168:00:00 hours} ] 0x0000 4500 004e f27a 0000 3f11 81e3 dab9 580a E..N.z..?.....X. 0x0010 cb6f 090e 0714 1282 003a a842 0243 0032 .o.......:.B.C.2 0x0020 c1a0 ac29 4931 4fbf 3440 7714 9d52 c3ea ...)[email protected].. 0x0030 0806 cb6f 7a02 0906 ffff ffff 8806 dab9 ...oz........... 0x0040 5801 8706 dab9 580e 1b06 0009 3a80 X.....X.....:.
Spot the difference. And be afraid.
| Share on Facebook | Share on Twitter