Radius Authentication Server

by: burt rosenberg
at: university of miami

Unpickable?

Radius Authentication Server Project

We implement a simple Radius Authentication server, mostly compliant with the protocol given RFC 2865: Remote Authentication Dial In User Service

Specific Objectives

• To understand simple encryption procedures
• To understand remote and third-party authentication
• To read and implement to specifications

Man Page

NAME
    mini-radius
    
SYNOPSIS
    mini-radius [-vR -k shared-key -p port] -h host username password
    mini-radius [-vLR -k shared-key -p port] password-file
    
DESCRIPTION
    
    The program runs as either client or server, depending on the whether the -h option
    is present. If server, the password-file is opened and the servers listens on the
    port of authentication requests. If client, the given username password is 
    authenticated to the server/port as given in the option, and YES or NO is 
    printed, according to the result.
    
    The protocol is described in RFC 2865, simplified for only password authentication.
    The access-request (code 1) packet sent by the client has two attributes, user-name
    (code 1) and user-password (code 2); and the response is either an access-accept 
    (code 2) or an access-reject (code 3).
    
OPTIONS
    -k the shared key for encrypting, the default is pa55word0
    -p the port the server listens (is listening) on, the default is 1812
    -h the radius server hostname
    -v Verbose. Helpful debugging output to stdout. 
    -R no randomness. The stream of random bytes used by the program is 
       set to 1, 2, 3, ... 
    -L when run as a server, do not loop; answer one full request and terminate
    
FILE FORMAT
    Username/Passwords are stored in file on the server. It is of the format
    
    (name:password\n)+
    
    where name and password are non-empty strings from (a-z, A-Z, 0-9)*.     
 
NOTES
    The program will have simplifying limitations, as given in the detailed
    project instructions.

HISTORY
    First introduced in Spring 2017.

LAST UPDATED 
    28 March 2017	

Detailed description

Because the algorithm for masking the password is complicated by variable length passwords, and because the length of the password should not be disclosed, our mini-radius will MD5 hash the password to exactly 16 bytes, and use the hashed-password in the user-password attribute.

The openssl library has the MD5 function. See man 3 md5. If there is no man page, you must install the openssl library. This library might not be available easily for OSX, but it is available for Linux distros. The -R provides test non-randomness. Cryptographic randomness is provided by /dev/random and /dev/urandom. See man urandom.

You can ignore the requirement for NAS-IP-Address or NAS-Identifier in the access request packet.

Hash and encryption test vectors:

pwd=password, 
md5(pwd)=5f4dcc3b 5aa765d6 1d8327de b882cf99

buf.data:
 02 -Access-Accept
 01 -Identifier
 0014 - Length (20 bytes)
 d39e0d8d 69f8cd89 10616f73 9ccac085 -authenticator receivedb
 
buf.password:
 70613535 776f7264 30 -"pa55word0"
 
buf=02010014 d39e0d8d 69f8cd89 10616f73 9ccac085 70613535 776f7264 30	
md5(buf)=63905cc0 917fab66 f0738ebd 30a90f19 

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Author: Burton Rosenberg
Created: 28 March 2017
Last Update: 30 March 2018