RADIUS server using APM to authenticate users
Updated Jun 06, 2023
Version 2.0Was this article helpful?
@Kai : You're right again.
I was working on a simplification / security improvement.
check payload length according to RFC
if {[binary scan [UDP::payload] cH2Sa16 QCODE IDENTIFIER QLEN Q_AUTHENTICATOR] != 4 || $QLEN > [UDP::payload length] || $QLEN > 4096} {
UDP::drop
return
} else {
Store only PAYLOAD in variable if Length field is valid (less than 4096 and less than payload length). prevent variable allocation if payload not valid.
Octets outside the range of the Length field MUST be treated as padding and ignored on reception.
set PAYLOAD [UDP::payload $QLEN]
}
create a hash of payload to manage "Duplicate Detection"
I was thinking to store payload md5 hash as session variable key (one subtable per IP address) with response payload in value and with 30s timeout.