0

I am working with a RADIUS server (whose source code I don't have) whose response to a RADIUS Authentication Request also contains the attributes sent with the request.

However, I was looking at the source code of tinyradius and it does not seem to copy all the attributes from request packet while generating the response packet. It only copies Attribute number 33 (STATE attribute) if one exists.

RadiusClients seem to accept either responses. What is the right thing to do?

user93353
  • 13,733
  • 8
  • 60
  • 122

1 Answers1

2

No, RADIUS responses should not contain all the request attributes.

State is special, it can be used to link multiple rounds of requests/responses together.

The two main use cases for State are OTP authentication, where the password and the OTP code are sent over two or more rounds, or EAP authentication which again occurs over multiple rounds.

NAS                     RADIUS
---                     ------
# Password round
Access-Request      ->
                    <-  Access-Challenge
                        [Generates random state 0x01]
# OTP round
Access-Request
[Copies state 0x01] ->
                        Access-Accept/Reject

Without the state attribute, there's no way to link an Access-Challenge, and a subsequent Access-Request together.

Note: There's no specification what to do with state, it's just used to tie packets together. In FreeRADIUS we maintain a list of 'session-state' attributes, which are available to policies in all rounds of a multi-round authentication attempt.

Arran Cudbard-Bell
  • 5,912
  • 2
  • 26
  • 48
  • Ok - thank you. Looks like I was mistaken - it's not attributes. However, beyond the first 20 bytes (i.e. beyond the authenticator) - I see 12 12 followed by Login Successful. Any ide what do these 2 12s represent and is the Login Successful string mandatory – user93353 Sep 06 '16 at 09:08
  • I think the first 0x12 is the attribute type Reply-Message & the second 0x12 is the length of the attribute 18 (I assume the length includes the length of the attribute type field, the length field and the value itself) – user93353 Sep 06 '16 at 09:25
  • Yep, that's exactly right :) So your max string length is actually 253 bytes, because it includes the type and length. – Arran Cudbard-Bell Sep 06 '16 at 13:57