Skip to content

[Radius] Add new option "dont_send_msg_auth" to control the addition of "message_authenticator". #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Radius] Add new option "dont_send_msg_auth" to control the addition of "message_authenticator". #263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions data/templates/common-auth-sonic.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass
# For the RADIUS servers, on success jump to the cacheing the MPL(Privilege)
{% for server in servers %}
auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %}
auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %} {% if server.dont_send_msg_auth %}dont_send_msg_auth{% endif %}
Copy link
Preview

Copilot AI Jun 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Consider adding an inline comment in the template to clarify the purpose of 'dont_send_msg_auth' for future maintainers.

Suggested change
auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %} {% if server.dont_send_msg_auth %}dont_send_msg_auth{% endif %}
auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %} {% if server.dont_send_msg_auth %}dont_send_msg_auth{% endif %} # Prevents sending the message authenticator to the RADIUS server if not required

Copilot uses AI. Check for mistakes.

{% endfor %}
auth requisite pam_deny.so
# Cache MPL(Privilege)
Expand All @@ -47,7 +47,7 @@ auth [success=ok default=ignore] pam_succeed_if.so user = root
{% endif %}
# For the RADIUS servers, on success jump to the cache the MPL(Privilege)
{% for server in servers %}
auth [success={{ (servers | count) + 1 - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %}
auth [success={{ (servers | count) + 1 - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %} {% if server.dont_send_msg_auth %}dont_send_msg_auth{% endif %}
{% endfor %}
# Local
auth [success=done new_authtok_reqd=done default=ignore{{ ' auth_err=die maxtries=die' if not auth['failthrough'] }}] pam_unix.so nullok try_first_pass
Expand All @@ -60,7 +60,7 @@ auth [success=1 default=ignore] pam_exec.so /usr/sbin/cache_radius
auth [success={{ (servers | count) + 2 }} default=ignore] pam_succeed_if.so user = root
# For the RADIUS servers, on success jump to the cache the MPL(Privilege)
{% for server in servers %}
auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %}
auth [success={{ (servers | count) - loop.index0 }} new_authtok_reqd=done default=ignore{{ ' auth_err=die' if not auth['failthrough'] }}] pam_radius_auth.so conf=/etc/pam_radius_auth.d/{{ server.ip }}_{{ server.auth_port }}.conf privilege_level protocol={{ server.auth_type }} retry={{ server.retransmit }}{% if server.nas_ip is defined %} nas_ip_address={{ server.nas_ip }}{% endif %}{% if server.nas_id is defined %} client_id={{ server.nas_id }}{% endif %}{% if debug %} debug{% endif %}{% if trace %} trace{% endif %}{% if server.statistics %} statistics={{ server.ip }}{% endif %} try_first_pass {% if not server.skip_msg_auth %}require_message_authenticator{% endif %} {% if server.dont_send_msg_auth %}dont_send_msg_auth{% endif %}
{% endfor %}
auth requisite pam_deny.so
# Cache MPL(Privilege)
Expand Down
8 changes: 6 additions & 2 deletions scripts/hostcfgd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ RADIUS_SERVER_TIMEOUT_DEFAULT = "5"
RADIUS_SERVER_AUTH_TYPE_DEFAULT = "pap"
RADIUS_PAM_AUTH_CONF_DIR = "/etc/pam_radius_auth.d/"
RADIUS_SERVER_SKIP_MSG_AUTH = False
RADIUS_SERVER_DONT_SEND_MSG_AUTH = False
Copy link
Preview

Copilot AI Jun 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ensure the new constant follows the naming conventions used for similar options and that its purpose is well-documented in the configuration guide.

Suggested change
RADIUS_SERVER_DONT_SEND_MSG_AUTH = False
# Default value indicating whether RADIUS server should avoid sending message authenticator attributes.
RADIUS_SERVER_SKIP_MSG_AUTH_DEFAULT = False

Copilot uses AI. Check for mistakes.


# FIPS
FIPS_CONFIG_FILE = '/etc/sonic/fips.json'
Expand Down Expand Up @@ -369,7 +370,8 @@ class AaaCfg(object):
'retransmit': RADIUS_SERVER_RETRANSMIT_DEFAULT,
'timeout': RADIUS_SERVER_TIMEOUT_DEFAULT,
'passkey': RADIUS_SERVER_PASSKEY_DEFAULT,
'skip_msg_auth': RADIUS_SERVER_SKIP_MSG_AUTH
'skip_msg_auth': RADIUS_SERVER_SKIP_MSG_AUTH,
'dont_send_msg_auth': RADIUS_SERVER_DONT_SEND_MSG_AUTH
}
self.radius_global = {}
self.radius_servers = {}
Expand Down Expand Up @@ -531,7 +533,9 @@ class AaaCfg(object):
self.radius_servers[key] = data
if self.radius_servers[key].get('skip_msg_auth', None) is not None:
data['skip_msg_auth'] = is_true(self.radius_servers[key]['skip_msg_auth'])

if self.radius_servers[key].get('dont_send_msg_auth', None) is not None:
data['dont_send_msg_auth'] = is_true(self.radius_servers[key]['dont_send_msg_auth'])

if modify_conf:
self.modify_conf_file()

Expand Down
10 changes: 5 additions & 5 deletions tests/hostcfgd/sample_output/RADIUS/common-auth-sonic
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@
# root user can only be authenticated locally. Jump to local.
auth [success=5 default=ignore] pam_succeed_if.so user = root
# For the RADIUS servers, on success jump to the cache the MPL(Privilege)
auth [success=6 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.1_1645.conf privilege_level protocol=pap retry=1 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=5 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.2_1645.conf privilege_level protocol=chap retry=2 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=4 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.3_1645.conf privilege_level protocol=chap retry=3 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=3 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.4_1645.conf privilege_level protocol=pap retry=4 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=2 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.5_1645.conf privilege_level protocol=pap retry=1 nas_ip_address=10.10.10.10 debug try_first_pass
auth [success=6 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.1_1645.conf privilege_level protocol=pap retry=1 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=5 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.2_1645.conf privilege_level protocol=chap retry=2 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=4 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.3_1645.conf privilege_level protocol=chap retry=3 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=3 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.4_1645.conf privilege_level protocol=pap retry=4 nas_ip_address=10.10.10.10 debug try_first_pass require_message_authenticator
auth [success=2 new_authtok_reqd=done default=ignore auth_err=die] pam_radius_auth.so conf=/etc/pam_radius_auth.d/10.10.10.5_1645.conf privilege_level protocol=pap retry=1 nas_ip_address=10.10.10.10 debug try_first_pass dont_send_msg_auth
# Local
auth [success=done new_authtok_reqd=done default=ignore auth_err=die maxtries=die] pam_unix.so nullok try_first_pass
auth requisite pam_deny.so
Expand Down
2 changes: 2 additions & 0 deletions tests/hostcfgd/test_radius_vectors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@
"timeout": "1",
"passkey": "pass1",
"skip_msg_auth": "true",
"dont_send_msg_auth": "true",
}
},
},
Expand Down Expand Up @@ -160,6 +161,7 @@
"timeout": "1",
"passkey": "pass1",
"skip_msg_auth": "true",
"dont_send_msg_auth": "true",
}
},
},
Expand Down
Loading