Ubuntu
freeradius package

Disable message authenticator in response

Asked by Paul Lettich

Since the recent update of FreeRADIUS on Jammy (3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.3) the freeRADIUS server always sends the "Message-Authenticator" attribute a response to the client. Unfortunately some clients (still) don't understand this attribute. I've looked through the code but couldn't find a way to deactivate the "Message-Authenticator" attribute in responses.
Did i miss something? Is it possible to deactivate the attribute in responses (maybe even on a per-client basis)? Or can it be removed via unlang (if i read the code and patches correctly, the attribute gets added after all site scripts are evaluated)?

Thanks

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu freeradius Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said (last edit ): 		#1

Start by updating your system packages to the latest version: *This you did*
*Reboot system after doing an upgrade* ?
sudo systemctl start freeradius
sudo systemctl enable freeradius

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

Possibly this:
https://stackoverflow.com/questions/78857926/freeradius-remove-message-authenticator-from-accept-reply

I've not done any Freeradius work in AGES but can Google with the best of them :)

Revision history for this message
Paul Lettich (plettich) said : 		#3

FreeRADIUS is running without problems (even after reboot), it is just adding the "Message-Authenticator" attribute to every response, even if the corresponding request didn't have one.
This behaviour changed from the -0ubuntu3.2 version.

Revision history for this message
Paul Lettich (plettich) said : 		#4

As the comment below the answer mentioned, this is probably hard-coded now (It looks like it from the back-ported patches as well).
So I'll go with downgrade and pin for now...

Revision history for this message
Brad Rhoades (roadrunner4191) said : 		#5

It would be great to have a fix as this is necessary to support older devices that are no longer being updated.

I can confirm that this is broken. All attempts to disable the "Message-Authenticator" with the latest freeradiuse3 package failed.

Even after trying to remove the Message-Authenticator in the authorize section or post-auth section, the freeradius debugs showed the field was not being sent, however the device receiving the Access-Accept message didn't like it. So, I grabbed the "de-liar" and grabbed a packet capture with tcdump.

I ended up reverting to the earlier package to address this issue. Available freeradius packages were found here:
 https://launchpad.net/ubuntu/+source/freeradius

This is from release - focal

3.0.20+dfsg-3build1
$ freeradius -v
radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13. <--- WORKS!
FreeRADIUS Version 3.0.20

3.0.20+dfsg-3ubuntu0.4
bdrhoad@qcauth:~$ freeradius -v
radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on Jan 25 2020 at 06:11:13 <--- BROKEN / hardcoded
FreeRADIUS Version 3.0.20

#
# Debug output from freeradius server - Notice the Message-Authenticator field is omitted in the Access-Accept
#
...
...
(0) Sent Access-Accept Id 202 from 65.###.6##.68:1812 to 10.xxx.xxx.170:6030 length 0
(0) Service-Type = Administrative-User
(0) Class = 0x61646d696e
(0) Finished request
Waking up in 4.9 seconds.

#
# I have the raw PCAP and can share it if needed. The content below has been heavily adjusted to remove internal details.
# You will note the presence of the Access-Accept message
tcpdump -vv -r CHANGED.1.pcap
reading from file CHANGED.1.pcap, link-type EN10MB (Ethernet)
15:29:26.873038 IP (tos 0x0, ttl 247, id 22415, offset 0, flags [none], proto UDP (17), length 89)
    host.top.level.dom.6030 > host.internal.dom.radius: [udp sum ok] RADIUS, length: 61
 Access-Request (1), id: 0xca, Authenticator: asdfasdfasdfasdfasdfasdfasdfasdfasd
   User-Name Attribute (1), length: 5, Value: user
     0x0000: XXXX ##
   User-Password Attribute (2), length: 18, Value:
     0x0000: #### XXXX #### XXXX #### XXXX #### XXXX
   NAS-Identifier Attribute (32), length: 18, Value: HOSTNAME
     0x0000: #### XXXX #### XXXX #### XXXX #### XXXX
15:29:26.874070 IP (tos 0x0, ttl 64, id 15202, offset 0, flags [none], proto UDP (17), length 79)
    host.internal.dom.radius > host.top.level.dom.6030: [bad udp cksum 0x5786 -> 0xc8c9!] RADIUS, length: 51
 Access-Accept (2), id: 0xca, Authenticator: 46d6330f341fe178e47695a0113beedc
   Message-Authenticator Attribute (80), length: 18, Value: .......B .K.....
     0x0000: d2b4 0211 ff12 e742 2014 4b15 0dfa d3f5
   Service-Type Attribute (6), length: 6, Value: Administrative
     0x0000: 0000 0006
   Class Attribute (25), length: 7, Value: CHANGED
     0x0000: XXXX XXXX XXXX

Revision history for this message
Cameron (cameron4545) said : 		#6

Disabling Message-Authenticator in responses improves compatibility with older clients that can't parse it. It’s like cleaning up a noisy Morse signal: .-.. . ... ... / .. ... / -- --- .-. .
Ref: https://github.com/FreeRADIUS/freeradius-server/issues/5436
Decode the Morse here: https://morsedecoders.com

Can you help with this problem?

Provide an answer of your own, or ask Paul Lettich for more information if necessary.

To post a message you must log in.