pyrad icon indicating copy to clipboard operation
pyrad copied to clipboard

Published 20 hours ago verified publisher icon pyradius

Pyrad Proxy Question/Problem?

Open PandyDev opened this issue 2 years ago • 1 comments

Hello,

I am trying to build a simple proxy server which sends packets to a different radius (freeradius). Everything works so far. The only Problem I have seen was that freeradius sends back MPPE Keys and the eappol_test which I am using for testing EAP-TLS / PEAP authentication seems to dislike the keys:

WARNING: PMK mismatch
PMK from AS - hexdump(len=32): 16 00 76 8b f5 9a 3d 6b 07 12 fb 35 a1 2d 72 72 78 ee e0 03 18 77 5b 31 17 a9 18 78 c0 12 19 20
No EAP-Key-Name received from server
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

From the code I use, within the HandleAuthPacket: I Create a Client

client = Client(server='10.0.0.1', secret='secret, dict=Dictionary("dicts/dictionary"),authport=1812)
req = client.CreateAuthPacket(code=pkt.code)

and copy every key over to the proxied packet and send it out

if pkt.keys():
        for i in pkt.keys():
            if i != "Message-Authenticator":
                # Add each key to proxied packet
                req[i] = pkt[i]
req.add_message_authenticator()
reply = client.SendPacket(req)

Same goes for the response back to the client pkt is the initial packet from the requesting client

attrs = {}
if reply.keys():
    for i in reply.keys():
        if i != "Message-Authenticator":
            # Add each key to reply packet
            attrs[i] = reply[i]

replyTOHost = self.CreateReplyPacket(pkt,**attrs)
replyTOHost.code = reply.code
replyTOHost.add_message_authenticator()
self.SendReplyPacket(pkt.fd, replyTOHost)

I am also using the latest commit which has the salt decrypt function in packet.py

PandyDev avatar Mar 09 '22 14:03 PandyDev

I guess you need to "re-encrypt" password on the way to server. User-Password-s hashed with secret and Message-Authenticator. So it will change when you forward it.
I'm also trying to create proxy server, but packet.PwDecrypt is not working for me.
File "/home/theholm/.local/lib/python3.10/site-packages/pyrad/packet.py", line 712, in PwDecrypt pw += bytes((hash[i] ^ buf[i],)) TypeError: unsupported operand type(s) for ^: 'int' and 'bytes' MPPE Keys also encrypted using shared secret. so you need to re-encrypt it on transit.

TheHolm avatar Jun 02 '22 08:06 TheHolm