09-11-2007 09:12 AM - edited 03-10-2019 03:23 PM
We are developing an ISG Radius CoA client.
Our settings are:
* Cisco IOS Software, 7200 Software (C7200-K91P-M), Version 12.2(31)SB6, RELEASE SOFTWARE (fc1)
* Here is a snippet of our configuration for CoA:
aaa server radius dynamic-author
client 192.168.1.223 server-key xxx
server-key xxx
auth-type all
ignore session-key
!
The issue is that we are not able to implement the "Account Logon" procedure based on the Cisco documentation ( ISG Radius Interface http://www.cisco.com/univercd/cc/td/doc/product/software/ios122sb/cg/isg_lib/isg_ig/isgcoa3.htm#wp1100384 ). We are not clear about the section below from this document:
"Since a CoA Account Logon request usually requires the inclusion of an encrypted password attribute, this password must be sent as Cisco VSA 249, which contains a separate authenticator for the user password (called initiator vector) followed by the encrypted user password, as detailed in Figure 6.
...
The initiator vector is a 16-octet pseudo-random number uniquely generated for each attribute. The encrypted value field is 16 or more octets containing data that is length-prefixed and zero padded to an even multiple of 16 octets."
We do not understand what procedure should be used for creating the encrypted password/value.
Can someone provide us more information on this with details on how to fill out subscriber-password field? An example would be especially helpful.
Thanks
Steve
11-06-2007 09:17 PM
Hi steve, we have a similar issue. please share the details of any resolution if you have had so far. thanks.
11-07-2007 05:42 AM
We are using Java and we patched JRadius for supporting Cisco ISG CoA.
Below is the main code for the creation of the cisco subscriber value for the Cisco VSA Radius attribute.
Attached is another file with some Java classes that may help.
Steve
public class CiscoUtils {
public static byte[] makeCiscoSubscriberPasswordValue(RadiusClient rc, String password){
byte len = (byte) (password.length()&0xff);
// Encode the length into a first byte of the password (required by util)
byte[] lenPassword = new byte[1 + len];
lenPassword[0] = (byte) (len);
System.arraycopy(password.getBytes(), 0, lenPassword, 1, password.length());
byte[] authenticator = RadiusUtils.makeRFC2865RequestAuthenticator(rc.getMD(), rc.getSharedSecret());
byte[] encryptedValue = RadiusUtils.encodePapPassword(rc.getMD(), lenPassword, authenticator, rc.getSharedSecret());
byte[] result = new byte[authenticator.length + encryptedValue.length ];
System.arraycopy(authenticator, 0, result, 0, authenticator.length);
System.arraycopy(encryptedValue, 0, result, authenticator.length, encryptedValue.length);
return result;
}
}
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide