Radius Authentication Server Project
We implement a simple Radius Authentication server, mostly compliant with the protocol given RFC 2865: Remote Authentication Dial In User Service
NAME mini-radius SYNOPSIS mini-radius [-vR -k shared-key -p port] -h host username password mini-radius [-vLR -k shared-key -p port] password-file DESCRIPTION The program runs as either client or server, depending on the whether the -h option is present. If server, the password-file is opened and the servers listens on the port of authentication requests. If client, the given username password is authenticated to the server/port as given in the option, and YES or NO is printed, according to the result. The protocol is described in RFC 2865, simplified for only password authentication. The access-request (code 1) packet sent by the client has two attributes, user-name (code 1) and user-password (code 2); and the response is either an access-accept (code 2) or an access-reject (code 3). OPTIONS -k the shared key for encrypting, the default is pa55word0 -p the port the server listens (is listening) on, the default is 1812 -h the radius server hostname -v Verbose. Helpful debugging output to stdout. -R no randomness. The stream of random bytes used by the program is set to 1, 2, 3, ... -L when run as a server, do not loop; answer one full request and terminate FILE FORMAT Username/Passwords are stored in file on the server. It is of the format (name:password\n)+ where name and password are non-empty strings from (a-z, A-Z, 0-9)*. NOTES The program will have simplifying limitations, as given in the detailed project instructions. HISTORY First introduced in Spring 2017. LAST UPDATED 28 March 2017
Detailed description
Because the algorithm for masking the password is complicated by variable length passwords, and because the length of the password should not be disclosed, our mini-radius will MD5 hash the password to exactly 16 bytes, and use the hashed-password in the user-password attribute.
The openssl library has the MD5 function. See man 3 md5. If there is no man page, you must install the openssl library. This library might not be available easily for OSX, but it is available for Linux distros. The -R provides test non-randomness. Cryptographic randomness is provided by /dev/random and /dev/urandom. See man urandom.
You can ignore the requirement for NAS-IP-Address or NAS-Identifier in the access request packet.
Hash and encryption test vectors:
pwd=password, md5(pwd)=5f4dcc3b 5aa765d6 1d8327de b882cf99 buf.data: 02 -Access-Accept 01 -Identifier 0014 - Length (20 bytes) d39e0d8d 69f8cd89 10616f73 9ccac085 -authenticator receivedb buf.password: 70613535 776f7264 30 -"pa55word0" buf=02010014 d39e0d8d 69f8cd89 10616f73 9ccac085 70613535 776f7264 30 md5(buf)=63905cc0 917fab66 f0738ebd 30a90f19
Author: Burton Rosenberg
Created: 28 March 2017
Last Update: 30 March 2018