Example of Account Login on ISG in CoA mode

Unanswered Question
Sep 11th, 2007

We are developing an ISG Radius CoA client.

Our settings are:

* Cisco IOS Software, 7200 Software (C7200-K91P-M), Version 12.2(31)SB6, RELEASE SOFTWARE (fc1)

* Here is a snippet of our configuration for CoA:

aaa server radius dynamic-author

client 192.168.1.223 server-key xxx

server-key xxx

auth-type all

ignore session-key

!

The issue is that we are not able to implement the "Account Logon" procedure based on the Cisco documentation ( ISG Radius Interface http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/cg/isg_lib/isg_ig/isgcoa3.htm#wp1100384 ). We are not clear about the section below from this document:

"Since a CoA Account Logon request usually requires the inclusion of an encrypted password attribute, this password must be sent as Cisco VSA 249, which contains a separate authenticator for the user password (called initiator vector) followed by the encrypted user password, as detailed in Figure 6.

...

The initiator vector is a 16-octet pseudo-random number uniquely generated for each attribute. The encrypted value field is 16 or more octets containing data that is length-prefixed and zero padded to an even multiple of 16 octets."

We do not understand what procedure should be used for creating the encrypted password/value.

Can someone provide us more information on this with details on how to fill out subscriber-password field? An example would be especially helpful.

Thanks

Steve

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
xius-bcgi-2007 Tue, 11/06/2007 - 21:17

Hi steve, we have a similar issue. please share the details of any resolution if you have had so far. thanks.

steven.e.hansen Wed, 11/07/2007 - 05:42

We are using Java and we patched JRadius for supporting Cisco ISG CoA.

Below is the main code for the creation of the cisco subscriber value for the Cisco VSA Radius attribute.

Attached is another file with some Java classes that may help.

Steve

public class CiscoUtils {

public static byte[] makeCiscoSubscriberPasswordValue(RadiusClient rc, String password){

byte len = (byte) (password.length()&0xff);

// Encode the length into a first byte of the password (required by util)

byte[] lenPassword = new byte[1 + len];

lenPassword[0] = (byte) (len);

System.arraycopy(password.getBytes(), 0, lenPassword, 1, password.length());

byte[] authenticator = RadiusUtils.makeRFC2865RequestAuthenticator(rc.getMD(), rc.getSharedSecret());

byte[] encryptedValue = RadiusUtils.encodePapPassword(rc.getMD(), lenPassword, authenticator, rc.getSharedSecret());

byte[] result = new byte[authenticator.length + encryptedValue.length ];

System.arraycopy(authenticator, 0, result, 0, authenticator.length);

System.arraycopy(encryptedValue, 0, result, authenticator.length, encryptedValue.length);

return result;

}

}

Actions

This Discussion