| Age | Commit message (Collapse) | Author |
|
Situation is a bit complex. Even one problem we fix easily,
such as saving server as variable, rad_req_free might free
server in theory, and s will be invalid.
This is a bit of rewrite, but proper fix.
Fixes problem in 2 functions.
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
|
|
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
|
|
Not a bug, but to supress warnings.
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
|
|
Recently FreeRadius started to complain accel-ppp doesn't pass
BlastRADIUS check. This commit fixes that.
This commit implements protection against RADIUS blast attacks
by adding support for the Message-Authenticator attribute in
Access-Request packets. This security enhancement helps
prevent unauthorized access attempts and replay attacks
on RADIUS authentication.
- Added new configuration option `blast-protection=1`
in [radius] to enable Message-Authenticator inclusion
- Implemented HMAC-MD5 calculation for
Message-Authenticator attribute (RFC 2869)
- Modified packet building to include 18-byte Message-Authenticator
attribute when enabled
- Updated packet structure to support signing with shared secret
Enable blast protection by adding to the `[radius]` section:
```
blast-protection=1
```
When enabled, all Access-Request packets will include a
Message-Authenticator attribute with HMAC-MD5 signature,
providing cryptographic integrity verification and protection
against packet modification attacks.
Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>
|
|
This change enables ipv6 connections between accel-ppp and radius server
|
|
This patch introduces nas-port-id-in-req switch to disable sending
NAS-Port-Id attribute in radauth and radacct messages. New switch
might be useful if radius server cannot properly handle this
attrubite.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
|
|
|
|
New configuration format:
[radius]
server=address,secret[,auth-port=1812][,acct-port=1813][,vrf=VRF_NAME][,req-limit=0][,fail-timeout=0,max-fail=0,][,weight=1][,backup]
dae-server=x.x.x.x:port,secret[,vrf=VRF_NAME]
By default, VRF name is undefined.
|
|
If Delegated-IPv6-Prefix was received in Access-Accept message, it is
necessary to send it in radacct Start message
|
|
once radius server has returned User-Name attribute in Access-Accept
packet, it'll be used for any subsequent Accounting-Request packets
instead of internal username per RFC2865 5.1
other way of just replacing session username is possible, but not
desired at the moment due potential issues with single-session modes
in case of different ppp logins / ipoe macs and same contract number
returned by radius for that accounts.
|
|
|
|
1 - is high priority queue for Access-Request and Account-Request(Start)
2 - is low priority queue for Account-Request(Alive) and Account-Request(Stop)
This patch intended to prioritize sessions connecting requests over disconnects and interim updates.
|
|
|
|
|
|
|
|
|
|
|
|
Before this patch any single fail (no responce for max_try requests) caused radius server to enter "fail" state,
which may be unwanted behaviour, because radius may not respond for interim Accounting-Request by some reasons.
This patch introduces "max-fail" option which specifies number of unreplied requests in a row after which server enters into "fail" state.
(Actual only for multi-server configurations)
|
|
not respond
|
|
|
|
|
|
|
|
This patch gets rid of synchronuos style of authentication/accounting.
Synchronous style of authentication/accounting produced sleeping threads
which becomes a problem when lots of sessions started/stopped and all they want authorization/accounting.
|
|
|
|
If specified then accel-ppp will send tunnel type as string (pppoe,pptp,l2tp,ipoe).
|
|
|
|
|
|
Signed-off-by: Dmitry Kozlov <xeb@mail.ru>
|
|
Acct-Status-Type=Accounting-On on startup and Acct-Status-Type=Accounting-Off on shutdown
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|