Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2501
Views
0
Helpful
2
Replies

Example of Account Login on ISG in CoA mode

steven.e.hansen
Level 1
Level 1

‎09-11-2007 09:12 AM - edited ‎03-10-2019 03:23 PM

We are developing an ISG Radius CoA client.

Our settings are:

* Cisco IOS Software, 7200 Software (C7200-K91P-M), Version 12.2(31)SB6, RELEASE SOFTWARE (fc1)

* Here is a snippet of our configuration for CoA:

aaa server radius dynamic-author

client 192.168.1.223 server-key xxx

server-key xxx

auth-type all

ignore session-key

!

The issue is that we are not able to implement the "Account Logon" procedure based on the Cisco documentation ( ISG Radius Interface http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/cg/isg_lib/isg_ig/isgcoa3.htm#wp1100384 ). We are not clear about the section below from this document:

"Since a CoA Account Logon request usually requires the inclusion of an encrypted password attribute, this password must be sent as Cisco VSA 249, which contains a separate authenticator for the user password (called initiator vector) followed by the encrypted user password, as detailed in Figure 6.

...

The initiator vector is a 16-octet pseudo-random number uniquely generated for each attribute. The encrypted value field is 16 or more octets containing data that is length-prefixed and zero padded to an even multiple of 16 octets."

We do not understand what procedure should be used for creating the encrypted password/value.

Can someone provide us more information on this with details on how to fill out subscriber-password field? An example would be especially helpful.

Thanks

Steve

Labels:
0 Helpful
2 Replies 2

xius-bcgi-2007
Level 1
Level 1

‎11-06-2007 09:17 PM

Hi steve, we have a similar issue. please share the details of any resolution if you have had so far. thanks.

0 Helpful

steven.e.hansen
Level 1
Level 1
In response to xius-bcgi-2007

‎11-07-2007 05:42 AM

We are using Java and we patched JRadius for supporting Cisco ISG CoA.

Below is the main code for the creation of the cisco subscriber value for the Cisco VSA Radius attribute.

Attached is another file with some Java classes that may help.

Steve

public class CiscoUtils {

public static byte[] makeCiscoSubscriberPasswordValue(RadiusClient rc, String password){

byte len = (byte) (password.length()&0xff);

// Encode the length into a first byte of the password (required by util)

byte[] lenPassword = new byte[1 + len];

lenPassword[0] = (byte) (len);

System.arraycopy(password.getBytes(), 0, lenPassword, 1, password.length());

byte[] authenticator = RadiusUtils.makeRFC2865RequestAuthenticator(rc.getMD(), rc.getSharedSecret());

byte[] encryptedValue = RadiusUtils.encodePapPassword(rc.getMD(), lenPassword, authenticator, rc.getSharedSecret());

byte[] result = new byte[authenticator.length + encryptedValue.length ];

System.arraycopy(authenticator, 0, result, 0, authenticator.length);

System.arraycopy(encryptedValue, 0, result, authenticator.length, encryptedValue.length);

return result;

}

}

Preview file
12 KB
0 Helpful
Customers Also Viewed These Support Documents