RADIUS server using APM to authenticate users
Problem this snippet solves:
this code convert APM policy to a RADIUS server.
Code description
When a Radius request is accepted by the VS:
-
the radius client IP address is checked against a Datagroup list.
- if in list : The shared secret is extracted from Datagroup list
- if not : drop the packet
-
the password is decrypted with radius secret
-
if request code is Access-Request, an APM session is created and radius attributes are set as session variable (including username and password)
-
Access session is evaluated and return
orallow
resultdeny
-
If the Access policy include radius attribute stored in variable
, attributes are added to the radius responsesession.result.radius_attr
-
return Access-Accept or Access-Reject response code based on the session result.
Supported request Packet types:
- Access-Request (1)
Returned Packet types:
- Access-Accept (2)
- Access-Reject (3)
Required request attributes
- User-Name (1)
- User-Password (2)
Optional request attributes
- NAS-IP-Address (4) : IP address
- NAS-Port (5) : Integer
- NAS-Identifier (32) : String
- NAS-Port-Type (61) : Integer
All other attributes are ignored by this irule
Supported response Attributes
All RFC2865 attributes are allowed. Vendor specific attributes are not supported yet.
Note : First version of this code was an enhancement of John McInnes RADIUS Server iRule who had to parse all RADIUS Data (RADIUS::avp did not exist when he wrote it's irule). The irule structure is still the same, but binary operations are optimized and more than 16 bytes passwords support is now included. thanks to Kai Wilke who show previous limitations and leads me to the right direction on how to decode long passwords.
Versions :
1.0 : First version based on RADIUS commands. Required RADIUS profile assigned to the virtual server
1.1 : Added Request Message-Authenticator attribute validation / Response Message-Authenticator insertion (Asked by Sam Hall). To support this feature, the code is rewritten to decode binary data. Radius profile is not required anymore. (31/05/2018)
1.2 : correction on the Request Message-Authenticator attribute validation, a binary conversion to same type is required after
[string replace ...]
command (1/06/2018)
1.3 : Changed Datagroup radius_clients values format to list of parameters and values. this allow to configure per radius client parameters instead of global parameters (Message-Authenticator validation, ...) (1/06/2018)
1.4 : Security improvement while decoding packet (default decoded integer are signed values, where packet decoding length must be unsigned integer. Thank you Kai wilke for the advices) and added duplicate packet detection (4/06/2018)
How to use this snippet:
- Create an Access Policy authenticating users.
- Define Access profile name in variable
static::apmpolicy
-
create a data group list
with values:radius_clients
IPAddress := "KEY radius\\ secret [REQMSGAUTH_REQUIRE 1] [RESPMSGAUTH_INSERT 1] [RFC_2865_COMPLIANCE 1]" IPAddress := "KEY another\\ radius\\ secret [REQMSGAUTH_REQUIRE 1] [RESPMSGAUTH_INSERT 0] [RFC_2865_COMPLIANCE 1]"
- KEY parameter must be followed by the shared secret, if it contains space, add 2 \ characters before each space. this parameter is required.
- REQMSGAUTH_REQUIRE (optional) define if Message-Authenticator attribute is required in request. default value is 0* RESPMSGAUTH_INSERT (optional) define if Message-Authenticator attribute is inserted in response. default value is 0
- RFC_2865_COMPLIANCE (optional) define if the request must respect RFC 2865 (required attributes). default value is 0
-
create a virtual server with RADIUS profile to manage RADIUS::avp commands. If you requires to add radius attributes in RADIUS response, create the APM variable session.result.radius_attr with text value (one line, space characters must be escaped):
Attribute1ID Attribute1Value Attribute2ID Attribute2Value Attribute3ID Attribute3Value
example :
18 Authentication\ Successful 27 3600
Code :
when RULE_INIT { set static::apmpolicy "/Common/AP_RADIUS_SERVICE" set static::client_list "radius_clients" } when CLIENT_ACCEPTED { binary scan [md5 [UDP::payload]] H* PAYLOAD_HASH switch [set DUPLICATE_RESPONSE [table lookup -subtable [IP::client_addr] $PAYLOAD_HASH]] { "" { # Do nothing, not in table } drop { log local0. "Duplicate packet detected with drop decision... dropping again" UDP::drop; return } default { log local0. "Duplicate packet detected sending same answer from table" UDP::respond [binary format H* $DUPLICATE_RESPONSE] return } } set RespLength 20 set RespAVP "" ############## START OF ALLOWED RADIUS CLIENT IP VALIDATION ################# if {![class match [IP::client_addr] equals $static::client_list]} { log local0. "RADIUS Client not in Datagroup : [IP::client_addr]" # RFC 2865 : A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded table add -subtable [IP::client_addr] $PAYLOAD_HASH "drop" 30 600 UDP::drop return } # Set default values if Datagroup miss this configuration set RADCLIENT(REQMSGAUTH_REQUIRE) 0 set RADCLIENT(RESPMSGAUTH_INSERT) 0 set RADCLIENT(RFC_2865_COMPLIANCE) 1 #Retreive RADIUS client shared secret and radius client capabilities. array set RADCLIENT [class match -value [IP::client_addr] equals $static::client_list] if {[binary scan [UDP::payload] cH2Sa16 QCODE IDENTIFIER QLEN Q_AUTHENTICATOR] != 4 || [set QLEN [expr {$QLEN & 0xFFFF}]] > [UDP::payload length] || $QLEN > 4096} { table add -subtable [IP::client_addr] $PAYLOAD_HASH "drop" 30 600 UDP::drop return } else { # Store only PAYLOAD in variable if Length field is valid (less than 4096 and less than payload length). prevent variable allocation if payload not valid. # Octets outside the range of the Length field MUST be treated as padding and ignored on reception. set PAYLOAD [UDP::payload $QLEN] } switch $QCODE { 1 { set REQUEST_NOT_ALLOWED 0 #Store All attribute in array QUERY_ATTR with Attrbute ID as Key for {set record_offset 20} {$record_offset < $QLEN } {incr record_offset $QAVP_LEN} { # If an Attribute is received in an Access-Accept, Access-Reject or Access-Challenge packet with an invalid length, # the packet MUST either be treated as an Access-Reject or else silently discarded. if {([binary scan $PAYLOAD @${record_offset}cc QAVP_TYPE QAVP_LEN] != 2) || ([set QAVP_LEN [expr {$QAVP_LEN & 0xFF}]] < 3) || ($record_offset+$QAVP_LEN > $QLEN) } { table add -subtable [IP::client_addr] $PAYLOAD_HASH "drop" 30 600 UDP::drop return } switch -- [set QAVP_TYPE [expr { $QAVP_TYPE & 0xFF}]] { 1 - 2 - 3 - 4 - 5 - 24 - 32 - 61 {binary scan $PAYLOAD @${record_offset}x2a[expr {$QAVP_LEN -2}] QUERY_ATTR($QAVP_TYPE)} 80 { binary scan $PAYLOAD @${record_offset}x2a[expr {$QAVP_LEN -2}] QUERY_ATTR($QAVP_TYPE) binary scan [string replace $PAYLOAD $record_offset [expr {$record_offset + 18}] [binary format ccH32 80 18 [string repeat 0 32]]] a* UNSIGNED_REQUEST } } } #Assign attibutes to expected variable, with decoding if required. set USER_NAME [expr {[info exists QUERY_ATTR(1)] ? $QUERY_ATTR(1) : ""}] set USER_PASSWORD [expr {[info exists QUERY_ATTR(2)] ? $QUERY_ATTR(2) : ""}] set CHAP_PASSWORD [expr {[info exists QUERY_ATTR(3)] ? $QUERY_ATTR(3) : ""}] if {[info exists QUERY_ATTR(4)]} {binary scan $QUERY_ATTR(4) c4 octets; foreach octet $octets {lappend r [expr {$octet & 0xFF}]}; set NAS_IP_ADDRESS [join $r .] } else {set NAS_IP_ADDRESS "" } if {[info exists QUERY_ATTR(5)]} {binary scan $QUERY_ATTR(5) I NAS_PORT; set NAS_PORT [expr {$NAS_PORT & 0xFFFFFFFF}] } else {set NAS_PORT "" } set STATE [expr {[info exists QUERY_ATTR(24)] ? $QUERY_ATTR(24) : ""}] set NAS_IDENTIFIER [expr {[info exists QUERY_ATTR(32)] ? $QUERY_ATTR(32) : ""}] #if {[info exists QUERY_ATTR(61)]} {binary scan $QUERY_ATTR(61) I NAS_PORT_TYPE; set NAS_PORT_TYPE [expr {$NAS_PORT_TYPE & 0xFFFFFFFF}] } else {set NAS_PORT_TYPE "" } set MESSAGE_AUTHENTICATOR [expr {[info exists QUERY_ATTR(80)] ? $QUERY_ATTR(80) : ""}] #EVALUATE REQUEST MESSAGE-AUTHENTICATOR if {$RADCLIENT(REQMSGAUTH_REQUIRE) && ($MESSAGE_AUTHENTICATOR equals "" || ![CRYPTO::verify -alg hmac-md5 -key $RADCLIENT(KEY) -signature $MESSAGE_AUTHENTICATOR $UNSIGNED_REQUEST])} { # RFC 2869 : A RADIUS Server receiving an Access-Request with a Message-Authenticator Attribute present MUST calculate the correct value # of the Message-Authenticator and silently discard the packet if it does not match the value sent. log local0. "[IP::client_addr] : wrong or missing Message-Authenticator attribute" table add -subtable [IP::client_addr] $PAYLOAD_HASH "drop" 30 600 UDP::drop return } if {$RADCLIENT(RFC_2865_COMPLIANCE)} { if {$NAS_IP_ADDRESS == "" && $NAS_IDENTIFIER == ""} { # RFC 2865 : It MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). set REQUEST_NOT_ALLOWED 1 set RAVP(18) "REQUEST NOT RFC COMPLIANT" } elseif {$USER_PASSWORD == "" && $CHAP_PASSWORD == "" && $STATE == ""} { # RFC 2865 : An Access-Request MUST contain either a User-Password or a CHAP-Password or a State. set REQUEST_NOT_ALLOWED 1 set RAVP(18) "REQUEST NOT RFC COMPLIANT" } elseif {$USER_PASSWORD ne "" && $CHAP_PASSWORD ne ""} { # RFC 2865 : An Access-Request MUST NOT contain both a User-Password and a CHAP-Password. set REQUEST_NOT_ALLOWED 1 set RAVP(18) "REQUEST NOT RFC COMPLIANT" } } if {$USER_PASSWORD == ""} { set REQUEST_NOT_ALLOWED 1 set RAVP(18) "USER-PASSWORD NOT SET BUT REQUIRED" } elseif {$USER_NAME == ""} { set REQUEST_NOT_ALLOWED 1 set RAVP(18) "USER-NAME NOT SET BUT REQUIRED" } } 2 - 3 - 11 { set REQUEST_NOT_ALLOWED 1 set RAVP(18) "RADIUS CODE NOT SUPPORTED - NOT A RADIUS CLIENT" } 4 - 5 - 6 - 10 { set REQUEST_NOT_ALLOWED 1 set RAVP(18) "RADIUS CODE NOT SUPPORTED - NOT A RADIUS ACCOUNTING SERVER" } default { set REQUEST_NOT_ALLOWED 1 set RAVP(18) "RADIUS CODE NOT SUPPORTED" } } ############## END OF RFC COMPLIANCE AND SERVER FEATURES VALIDATION ################# # DO NOT RELEASE UDP PACKET. Drop it to prevent further process by irule or load balancing to an internal server. # When UDP packet dropped, PAYLOAD is dropped and RADIUS Commands not available anymore. UDP::drop if {$REQUEST_NOT_ALLOWED == 0} { ########## START OF PASSWORD DECRYPTION ############################ binary scan [md5 "$RADCLIENT(KEY)$Q_AUTHENTICATOR"] H* bx_hex binary scan $USER_PASSWORD H* px_full_hex set Password_Padded "" for {set x 0} {$x<[string length $px_full_hex]} {set x [expr {$x+32}]} { set px_hex [string range $px_full_hex $x [expr {$x+31}]] append Password_Padded [binary format W [expr 0x[string range $px_hex 0 15] ^ 0x[string range $bx_hex 0 15]]] append Password_Padded [binary format W [expr 0x[string range $px_hex 16 31] ^ 0x[string range $bx_hex 16 31]]] binary scan [md5 "$RADCLIENT(KEY)[binary format H* $px_hex]"] H* bx_hex } binary scan $Password_Padded A* PASSWORD ########## END OF PASSWORD DECRYPTION ############################ ########## START OF APM AUTHENTICATION ############################ set flow_sid [ACCESS::session create -timeout 60 -lifetime 300] ACCESS::policy evaluate -sid $flow_sid -profile $static::apmpolicy \ session.logon.last.username $USER_NAME \ session.logon.last.password $PASSWORD \ session.server.landinguri "/" \ session.logon.last.NAS_IP_Address $NAS_IP_ADDRESS \ session.logon.last.NAS_Port $NAS_PORT \ session.logon.last.NAS_Identifier $NAS_IDENTIFIER \ session.logon.last.NAS_Port_Type $NAS_PORT if {[ACCESS::policy result -sid $flow_sid] equals "allow"} { set ResponseCode 2 if {![info exists RAVP(18)] } {set RAVP(18) "Good username Password"} } else { set ResponseCode 3 if {![info exists RAVP(18)] } {set RAVP(18) "wrong username Password"} } array set RAVP [ACCESS::session data get -sid $flow_sid session.result.radius_attr] ACCESS::session remove -sid $flow_sid ########## END OF APM AUTHENTICATION ############################ } else { set ResponseCode 3 if {[info exists RAVP(18)] } { log local0. $RAVP(18)} } ########## ENCODING AND DELIVERY OF RADIUS RESONSE ############################ foreach attrID [array names RAVP] { incr RespLength [set attrLength [expr {[string length $RAVP($attrID)]+2}]] append RespAVP [binary format cca* $attrID $attrLength $RAVP($attrID)] } #CALCULATE RESPONSE MESSAGE-AUTHENTICATOR if {$RADCLIENT(RESPMSGAUTH_INSERT)} { set UNSIGNED_RespAVP $RespAVP[binary format ccH32 80 18 [string repeat 0 32]] incr RespLength 18 append RespAVP [binary format cc 80 18][CRYPTO::sign -alg hmac-md5 -key $RADCLIENT(KEY) [binary format cH2Sa16a* $ResponseCode $IDENTIFIER $RespLength $Q_AUTHENTICATOR $UNSIGNED_RespAVP]] } binary scan [md5 [binary format cH2Sa16a[expr {$RespLength-20}]a[string length $RADCLIENT(KEY)] $ResponseCode $IDENTIFIER $RespLength $Q_AUTHENTICATOR $RespAVP $RADCLIENT(KEY) ]] H* ResponseAuth set RESPONSE [binary format cH2SH32a* $ResponseCode $IDENTIFIER $RespLength $ResponseAuth $RespAVP] UDP::respond $RESPONSE binary scan $RESPONSE H* RESPONSE_HEX table add -subtable [IP::client_addr] $PAYLOAD_HASH $RESPONSE_HEX 15 60 }
Tested this on version:
12.0- Stanislas_Piro2Cumulonimbus
Kai,
to make it more elegant, I changed the decoding code to (all attributes are stored in a array with ID as key)
for {set record_offset 0} {$QLEN - $record_offset > 20} {incr record_offset $QAVP_LEN} { binary scan $QAVP @${record_offset}cc QAVP_TYPE QAVP_LEN binary scan $QAVP @${record_offset}x2a[expr {$QAVP_LEN -2}] QUERY_ATTR($QAVP_TYPE) if {$QAVP_TYPE == 80} { set UNSIGNED_RAVP [string replace $QAVP $record_offset [expr {$record_offset + 18}] [binary format ccH32 80 18 [string repeat 0 32]]] set UNSIGNED_REQUEST [binary format cH2Sa16a* $QCODE $QID $QLEN $Q_AUTHENTICATOR $UNSIGNED_RAVP] } }
then each required attribute is copied to the expected variable
set USER_NAME [expr {[info exists QUERY_ATTR(1)] ? $QUERY_ATTR(1) : ""}] set USER_PASSWORD [expr {[info exists QUERY_ATTR(2)] ? $QUERY_ATTR(2) : ""}] set CHAP_PASSWORD [expr {[info exists QUERY_ATTR(3)] ? $QUERY_ATTR(3) : ""}]
- Sam_HallNimbostratus
@Kai, have a read through RFC 5080. Page 6 states "Any Access-Request packet that performs authorization checks, including Call Check, SHOULD contain a Message-Authenticator attribute.". Then later "Requests not containing a Message-Authenticator attribute MAY then be silently discarded."
@Sam: A Radius Access-Request packet "MAY" contain a Message-Authenticator attribute and Radius implementers "SHOULD" adopt this security feature. But in the end its still not a "MUST" requirement for both. Please don't get me wrong, I do personally recommend to adopt this attribute (and also other useful post RFC2865 extensions, recommendations and clarifications) every single day.
@Stanislas: Well, its up to you to store every single attribute in a variable. But keep in mind, that some attributes may be included more than once in a single Radius request. Last but not least, you may also want to check your input validation twice. With the recent additions you are allowing an attacker to crash your TMM by sending a single handcrafted UDP datagram...
Cheers, Kai
- Stanislas_Piro2Cumulonimbus
@Kai : You're right again.
I was working on a simplification / security improvement.
-
check payload length according to RFC
if {[binary scan [UDP::payload] cH2Sa16 QCODE IDENTIFIER QLEN Q_AUTHENTICATOR] != 4 || $QLEN > [UDP::payload length] || $QLEN > 4096} { UDP::drop return } else { Store only PAYLOAD in variable if Length field is valid (less than 4096 and less than payload length). prevent variable allocation if payload not valid. Octets outside the range of the Length field MUST be treated as padding and ignored on reception. set PAYLOAD [UDP::payload $QLEN] }
-
create a hash of payload to manage "Duplicate Detection"
I was thinking to store payload md5 hash as session variable key (one subtable per IP address) with response payload in value and with 30s timeout.
-
Hi Stanislas,
1.) I prefer to check if at least 20 bytes are received instead of starting to parsing the outer protocol encapsulation and then count the resulting fields, but its a personal preference.
2.) I'm glad you found out that the UDP-layer needs some attention too, to make the Radius Server RFC compliant and also stable enough for OTP operations. I recommend to use the algorythm mentioned in RFC 5080 to maintain the caches...
In addition to that...
1.) Learn the small but important difference between a signed and unsigned integer.
2.) Test your iRule with the UDP payloads below and watch your TMM entering an endless
loop and finally crashing...[for]
set PAYLOAD "\x01\xff\x00\x18\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x02\x01\xfe" set PAYLOAD "\x01\xff\x00\x16\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x00"
3.) Make sure to spent me a beer during the next MVP summit for pointing out some coding flaws... 😉
4.) And spent me another beer to get a free copy of my iRule based Radius Server stack... 😉
Cheers, Kai
- Stanislas_Piro2Cumulonimbus
I guess this is better:
for {set record_offset 20} {$record_offset < $QLEN } {incr record_offset $QAVP_LEN} { binary scan $PAYLOAD @${record_offset}cc QAVP_TYPE QAVP_LEN set QAVP_LEN [expr {$QAVP_LEN & 0xFF}] If an Attribute is received in an Access-Accept, Access-Reject or Access-Challenge packet with an invalid length, the packet MUST either be treated as an Access-Reject or else silently discarded. if {($QAVP_LEN < 3) || ($record_offset+$QAVP_LEN > $QLEN) } {UDP::drop; return} binary scan $PAYLOAD @${record_offset}x2a[expr {$QAVP_LEN -2}] QUERY_ATTR($QAVP_TYPE) if {$QAVP_TYPE == 80} { binary scan [string replace $PAYLOAD $record_offset [expr {$record_offset + 18}] [binary format ccH32 80 18 [string repeat 0 32]]] a* UNSIGNED_REQUEST } } }
My additional 1.) and 2.) puzzles should be solved now. 3.) is still unsolved and 4.) remains optional... ;-)
Cheers, Kai
- Stanislas_Piro2Cumulonimbus
3 - of course. but with this agreement, I'm afraid some other people will try to help me too ;-)
4 - No really need the code, I wrote it for learning and have fun during free time. I expected your's last september ;-). But I'll be happy for this one too (the beer I mean)
- Stanislas_Piro2Cumulonimbus
I just updated the code thanks to kai’s advices.
Read version history to see changes.
4 - Did sold my Radius stack to a customer. Will check up with them again to get the approval for publishing...
Cheers, Kai