Gong Cheng [hacking]

My OpenDiameter Experience, Part II, setting up a simple 3-party EAP-MD5 test

fsmsh.com/2821 [networking] [opendiameter] [aaa] [eap-md5]

In Part I, I have shown what I did to get the build and installation going. In Part II, I will show what steps I took to get a simplest test like the following done: A EAP-MD5 test that involves an OpenDiameter server (aaad), an OpenDiameter client (nasd), and a EAP-MD5 client (pacd) talking to nasd using PANA. All three parties reside on one single host.

Simple as the test is, a lot of work is needed in OpenDiameter's case, as we will see soon.

Some Background Information

The Diameter Protocol

Diameter is intended to be the next generation AAA protocol that replaces RADIUS. Wheather and when it will replace RADIUS is not for me to discuss here, but it has already found uses in a lot of applications, notably in 3GPP and WiMAX infrastructures. I will assume that you are familiar with AAA or RADIUS and I will just try to point out a few concepts that is unique in Diameter and we will encounter in our little test.

Binaries from OpenDiameter

As already mentioned, we will be using the server binary (aaad), authenticator/ NAS binary (nasd) and the PANA client + Supplicant binary (pacd). Opendiameter also generates a series of test clients and test servers, but we will not use them here.

OpenDiameter Config files

OpenDiameter's configuration files are mostly .xml files that are in XML format and each .xml file has an companion .dtd file for Document Type Definition (DTD).

Sorry, more compilation please


I must admit that in Part I, which should take care of all compilations, I omitted one inconconvenient fact that requires a quick re-complilation. The reason is that it only affects nasd which may not be essential for a lot of uses where people are only interested in the server.

In the code that came with 1.0.7-i, nasd somehow has commented out lines related to Diameter EAP application in its initialization part. That not only makes nasd not usable for Diameter EAP, but also pretty much makes it unsable for anything. The reason is that nasd defines its peer table inside of the nasd_diameter_eap.xml (which is weird by itself since EAP is just one application) and the file won't even be read with those lines commented out.

so, we need to apply the following simple diff and redo "make; make install" in the opendiameter root directory.

+++ applications/nas/src/nasd_main.cxx  2008-04-05 06:52:44.000000000 -0700

@@ -51,17 +51,17 @@ int main(int argc, char **argv)

     /// Node writers MUST add thier initializer

     /// instance here

     NASD_PanaInitializer apPanaInit;

-    //NASD_DiameterEapInitializer aaaDiameterEapInit;

+    NASD_DiameterEapInitializer aaaDiameterEapInit;

     NASD_EapBackendInitializer aaaEapBackendInit;

     NASD_PolicyScriptInitializer plcyScriptInit;

     std::string strApPanaName("pana");

-    //std::string strAaaDiameterEapName("diameter_eap");

+    std::string strAaaDiameterEapName("diameter_eap");

     std::string strAaaEapBackendName("local_eap_auth");

     std::string strPlcyScriptName("script");

     NASD_CnInitializer_I->Register(strApPanaName, apPanaInit);

-    //NASD_CnInitializer_I->Register(strAaaDiameterEapName, aaaDiameterEapInit);

+    NASD_CnInitializer_I->Register(strAaaDiameterEapName, aaaDiameterEapInit);

     NASD_CnInitializer_I->Register(strAaaEapBackendName, aaaEapBackendInit);

Crypto related Library linking problems

On some systems I have also seen problems during build phase when linking to crypto libraries, and I suspect it has something to do with system's openssl libcrypto.a. Since it is not universal, I omitted them, but now I feel I probably should point them out too. You can omit this if you didn't have any problem following Part I.

--- configure.orig      2008-04-04 12:49:15.000000000 -0700

+++ configure   2008-04-05 05:09:15.000000000 -0700

@@ -6865,7 +6865,7 @@ fi




-  ace_TLS_LIBS="-lssl -lcrypto"

+  ace_TLS_LIBS="-lssl -lcrypto -ldl"

Update Shared Library Information

When use your binaries after first time building opendiameter, it might fail complaining about libACE. That is caused by an un-updated shared-library database on the system after new libraries are generated. I fixed it by this:

echo "/usr/local/lib/" > /etc/ld.so.conf.d/local_lib.conf

/sbin/ldconfig -v

Fix the configurations for aaad and nasd

We did do "make install" before, but unfortunately there are mutliple things that are missing in the process and we need a do-over.

The binaries of aaad and nasd are installed correctly at /usr/local/bin. There are configuration files copied at /usr/local/etc/opendiameter, but I discovered that a few issues exist:

I suggest to follow the following steps to fix those issues:

mkdir -p /etc/opendiameter/aaa/

mkdir -p /etc/opendiameter/nas/

cp -r ./applications/aaa/config/ /etc/opendiameter/aaa/

cp -r ./applications/nas/config/ /etc/opendiameter/nas/

cp -r ./applications/nas/scripts /etc/opendiameter/nas/

change the following files for aaad and nasd respectively.

Note: I have moved the Diff to the end in the Appendix section because there are some characters in the diff that will make the posting system unhappy and ruin the rest of the formating.

correct nasd_pana_dictionary.xml file which points to wrong .dtd file:

--- nasd_pana_dictionary.xml.orig       2008-04-05 15:36:40.000000000 -0700

+++ nasd_pana_dictionary.xml    2008-04-05 15:39:02.000000000 -0700

@@ -1,5 +1,5 @@

 <?xml version="1.0" encoding="UTF-8"?>

-<!DOCTYPE dictionary SYSTEM "dictionary.dtd">

+<!DOCTYPE dictionary SYSTEM "nasd_pana_dictionary.dtd">


The nasd_diameter_eap_dictionary.xml file is outdated and copy a correct one from source tree:

cp /usr/local/src/opendiameter-1.0.7-i/libdiameter/config/dictionary.xml /etc/opendiameter/nas/config/nasd_diameter_eap_dictionary.xml

then update its 2nd line from this

<!DOCTYPE dictionary SYSTEM "dictionary.dtd">

to be like this:

<!DOCTYPE dictionary SYSTEM "nasd_diameter_eap_dictionary.dtd">

fake host names

In our test, we will be using a single local host to simulate a 3-party network environment. To get things working, I am faking different domain names for nasd and aaad.

I am giving aaad the name localaaa.localdomain1.net, and nasd the name localnas.localdomain2.net and I added the following two entries in the local /etc/hosts file: localaaa localaaa.localdomain1.net localnas localnas.localdomain2.net

Get aaad and nasd talk to each first

Now, with all those setups, aaad and nasd should be able to talk to each other as peers without EAP in picture. All we need to do is to tell them who themselves are and who their peer is.

aaad side

in aaad, configure it its identity of localaaa.localdomain1.net, and its peer localnas.localdomain2.net. Apply the following change to file aaad_diameter_server.xml.

--- aaad_diameter_server.xml.orig       2008-04-05 15:14:33.000000000 -0700

+++ aaad_diameter_server.xml    2008-04-05 15:29:07.000000000 -0700

@@ -24,11 +24,11 @@




-      <dictionary>config/aaad_diameter_dictionary.xml</dictionary>

+      <dictionary>/etc/opendiameter/aaa/config/aaad_diameter_dictionary.xml</dictionary>



-      <identity>server.isp.net</identity>

-      <realm>isp.net</realm>

+      <identity>localaaa.localdomain1.net</identity>

+      <realm>localdomain1.net</realm>




@@ -38,15 +38,16 @@




-      <advertised_hostname>server1.isp.net</advertised_hostname>

+      <advertised_hostname>localaaa.localdomain1.net</advertised_hostname>




-              <hostname>nas.access1.net</hostname>

+              <hostname>localnas.localdomain2.net</hostname>









@@ -57,6 +58,7 @@








Note that I also commented out some original sample peers for simplicity.

nasd side

For nasd, update the file nasd_diameter_eap.xml similiarly: use localnas.localdomain2.net as identity and use localaaa.localdomain1.net as peer.

@@ -24,11 +25,11 @@




-      <dictionary>config/nasd_diameter_eap_dictionary.xml</dictionary>

+      <dictionary>/etc/opendiameter/nas/config/nasd_diameter_eap_dictionary.xml</dictionary>



-      <identity>nas.access1.net</identity>

-      <realm>access1.net</realm>

+      <identity>localnas.localdomain2.net</identity>

+      <realm>localdomain2.net</realm>




@@ -41,7 +42,7 @@




-              <hostname>server.isp.net</hostname>

+              <hostname>localaaa.localdomain1.net</hostname>



(7867|3038682000) Watchdog msg from [localaaa.localdomain1.net.localdomain1.net], state=1207434903, time=1207435199

I suggest that you start aaad before nasd. Based on my experience, on different systems, if doing the other way around, it either takes longer or nasd crashes. :)

Fix up pacd

The files installed at /usr/local/etc/opendiameter/pana don't seem to be usable by pacd either, so I decided not to use them at all. Unfortunately, I didn't find any proper candiate from the source tree. The best I came up with was an ugly solution (appologies!) by downloading from the latest opendiameter repository with some modifications.

cd /usr/local/src/opendiameter-1.0.7-i/applications/pana/
svn co https://diameter.svn.sourceforge.net/svnroot/diameter/cplusplus/applications/pana/config

(if you don't have svn installed, it is easy. For example, in ubuntu, do sudo apt-get install subversion)

cp /etc/opendiameter/nas/config/nasd_pana_dictionary.xml config/pana_dictionary.xml

and update its 2nd line to:

<!DOCTYPE dictionary SYSTEM "pana_dictionary.dtd">

Configure aaad, nasd and pacd for the final EAP-MD5 test

Finally, after all the hassle, we are ready to do some "true" configurations.


in both aaad_diameter_server.xml and nasd_diameter_eap.xml after the line of


I will use testuser@localdomain1.net for our EAP-MD5 test. Note that I assigned it to be in the same domain as our Diameter server.

Apply this change:

+++ aaad_user_db.xml    2008-04-05 17:57:43.000000000 -0700

@@ -41,12 +41,20 @@



+    <user_entry>

+       <name_match>testuser@localdomain1.net</name_match>

+       <eap_method>md5</eap_method>

+       <md5>

+          <password_type>flat</password_type>

+          <secret>12345</secret>

+       </md5>

+    </user_entry>


        <!-- will match any identity with

             a "user" sub-string -->

-       <name_match>user</name_match>

+       <name_match>dont_match_anyone</name_match>

        <!-- Available eap methods:

Note the line I changed from "user" to "dont_match_anyone". That is because I found that OpenDiameter seems to have a counter-ituitive way of doing match. and a entry of "user" will match any requests with "user" in its sub-string. I didn't want that.

--- config/pana_setup.xml.orig  2008-04-05 16:05:15.000000000 -0700

+++ config/pana_setup.xml       2008-04-05 16:05:42.000000000 -0700

@@ -6,7 +6,7 @@


    <!-- Username used for EAP auth -->

-   <username>user1</username>

+   <username>testuser@localdomain1.net</username>

    <!-- Assocaited password, used

         during EAP-MD5 -->

As I mentioned before, nasd uses the realm part of NAI to determine peer, and for our test, I added the following route in the route table of nasd's nasd_diameter_eap.xml file:














That tells nasd that, for requests of the realm localdomain1.net, forward it to peer localaaa.localdomain1.net.

The dictionary files used by peers are supposed to be consistent. There is one little inconsistency between them that will cause problem. In nasd's nasd_diameter_eap_dictionary.xml file, the AVP User-Name is defined as mandotory but it is not the case in aaad. Remove the mandotory part from it and make them consistent.

line 734 of nasd_diameter_eap_dictionary.xml:

    <avp name="User-Name" code="1" mandatory="must">

      <type type-name="UTF8String"/>

line 740 of aaad_diameter_dictionary.xml:

    <avp name="User-Name" code="1">

      <type type-name="UTF8String"/>


Finally, we are ready.

Restart your aaad and nasd like before, and make sure they have established connections.

Now start pacd from the applications/pana directory like this: (as root)

./pacd -f config/pana_setup.xml

And if you see messages from pacd window like this, then you are good.

Peer: Success received.

Peer:  Success.

Authentication success at peer

Welcome to the world, testuser@localdomain1.net !!!


I don't know about you, but I feel tired by now after all this, and that is just a EAP-MD5 test that can't be made simpler. As I stated before, I am new to OpenDiameter myself and my way of doing things might not be the right way, so be cautioned there! I am also sorry that at the point I don't have much more to contribute, but I do hope this little two-part article can help other OpenDiameter beginners. If it does help you to get started, I encourage you to contribute back by sharing your tricks too.

In my opinion, OpenDiameter does not seems to be in a mature stage yet. It suits to serve as a starting point to develop your own applications or to conduct your Diameter tests in the labs, but I am not sure about more serious deployments. Again, I could be totally off, but if that is the case, I hope the true experts could step up and provide more documentations.

I am also very much looking forward to the next release (1.0.8) which is delayed. And I hope all those issues I have met, if they are real, will be fixed and more importantly, more documents please!


[1] OpenDiameter README file from 1.0.7-i source package




Appendix for MD5 link problem

Please note that, since this (ugly) patch affects the Makefile.in files, you will need to redo ./configure for the OpenDiameter after applying the changes.

--- ./libdiameternasreq/Makefile.in.orig        2008-04-05 13:08:04.000000000 -0700

+++ ./libdiameternasreq/Makefile.in     2008-04-05 13:26:32.000000000 -0700

@@ -381,12 +381,12 @@ test/client_test.$(OBJEXT): test/$(am__d


 client_test$(EXEEXT): $(client_test_OBJECTS) $(client_test_DEPENDENCIES) 

        @rm -f client_test$(EXEEXT)

-       $(CXXLINK) $(client_test_LDFLAGS) $(client_test_OBJECTS) $(client_test_LDADD) $(LIBS)

+       $(CXXLINK) $(client_test_LDFLAGS) $(client_test_OBJECTS) $(client_test_LDADD) $(LIBS) -lcrypto

 test/server_test.$(OBJEXT): test/$(am__dirstamp) \


 server_test$(EXEEXT): $(server_test_OBJECTS) $(server_test_DEPENDENCIES) 

        @rm -f server_test$(EXEEXT)

-       $(CXXLINK) $(server_test_LDFLAGS) $(server_test_OBJECTS) $(server_test_LDADD) $(LIBS)

+       $(CXXLINK) $(server_test_LDFLAGS) $(server_test_OBJECTS) $(server_test_LDADD) $(LIBS) -lcrypto



        -rm -f *.$(OBJEXT)

--- ./applications/nas/Makefile.in.orig 2008-04-05 13:08:11.000000000 -0700

+++ ./applications/nas/Makefile.in      2008-04-05 13:26:40.000000000 -0700

@@ -331,7 +331,7 @@ src/nasd_diameter_eap.$(OBJEXT): src/$(a


 nasd$(EXEEXT): $(nasd_OBJECTS) $(nasd_DEPENDENCIES) 

        @rm -f nasd$(EXEEXT)

-       $(CXXLINK) $(nasd_LDFLAGS) $(nasd_OBJECTS) $(nasd_LDADD) $(LIBS)

+       $(CXXLINK) $(nasd_LDFLAGS) $(nasd_OBJECTS) $(nasd_LDADD) $(LIBS) -lcrypto



        -rm -f *.$(OBJEXT)

--- ./applications/aaa/Makefile.in.orig 2008-04-05 13:08:20.000000000 -0700

+++ ./applications/aaa/Makefile.in      2008-04-05 13:26:49.000000000 -0700

@@ -315,7 +315,7 @@ src/aaad_diameter_eap.$(OBJEXT): src/$(a


 aaad$(EXEEXT): $(aaad_OBJECTS) $(aaad_DEPENDENCIES) 

        @rm -f aaad$(EXEEXT)

-       $(CXXLINK) $(aaad_LDFLAGS) $(aaad_OBJECTS) $(aaad_LDADD) $(LIBS)

+       $(CXXLINK) $(aaad_LDFLAGS) $(aaad_OBJECTS) $(aaad_LDADD) $(LIBS) -lcrypto



        -rm -f *.$(OBJEXT)

--- ./applications/pana/Makefile.in.orig        2008-04-05 13:08:27.000000000 -0700

+++ ./applications/pana/Makefile.in     2008-04-05 13:27:12.000000000 -0700

@@ -273,10 +273,10 @@ clean-noinstPROGRAMS:


 client_pana_eaptls$(EXEEXT): $(client_pana_eaptls_OBJECTS) $(client_pana_eaptls_DEPENDENCIES) 

        @rm -f client_pana_eaptls$(EXEEXT)

-       $(CXXLINK) $(client_pana_eaptls_LDFLAGS) $(client_pana_eaptls_OBJECTS) $(client_pana_eaptls_LDADD) $(LIBS)

+       $(CXXLINK) $(client_pana_eaptls_LDFLAGS) $(client_pana_eaptls_OBJECTS) $(client_pana_eaptls_LDADD) $(LIBS) -lcrypto

 pacd$(EXEEXT): $(pacd_OBJECTS) $(pacd_DEPENDENCIES) 

        @rm -f pacd$(EXEEXT)

-       $(CXXLINK) $(pacd_LDFLAGS) $(pacd_OBJECTS) $(pacd_LDADD) $(LIBS)

+       $(CXXLINK) $(pacd_LDFLAGS) $(pacd_OBJECTS) $(pacd_LDADD) $(LIBS) -lcrypto



        -rm -f *.$(OBJEXT)

--- ./libeap/Makefile.in.orig   2008-04-05 13:10:41.000000000 -0700

+++ ./libeap/Makefile.in        2008-04-05 13:25:21.000000000 -0700

@@ -569,12 +569,12 @@ tests/md5_test.$(OBJEXT): tests/$(am__di


 md5_test$(EXEEXT): $(md5_test_OBJECTS) $(md5_test_DEPENDENCIES) 

        @rm -f md5_test$(EXEEXT)

-       $(CXXLINK) $(md5_test_LDFLAGS) $(md5_test_OBJECTS) $(md5_test_LDADD) $(LIBS)

+       $(CXXLINK) $(md5_test_LDFLAGS) $(md5_test_OBJECTS) $(md5_test_LDADD) $(LIBS) -lcrypto

 tests/tls_test.$(OBJEXT): tests/$(am__dirstamp) \


 tls_test$(EXEEXT): $(tls_test_OBJECTS) $(tls_test_DEPENDENCIES) 

        @rm -f tls_test$(EXEEXT)

-       $(CXXLINK) $(tls_test_LDFLAGS) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS)

+       $(CXXLINK) $(tls_test_LDFLAGS) $(tls_test_OBJECTS) $(tls_test_LDADD) $(LIBS) -lcrypto



        -rm -f *.$(OBJEXT)

--- ./libdiametereap/Makefile.in.orig   2008-04-05 14:05:46.000000000 -0700

+++ ./libdiametereap/Makefile.in        2008-04-05 14:06:11.000000000 -0700

@@ -418,7 +418,7 @@ src/diameter_eap_der_parser.lo: src/$(am

 src/diameter_eap_dea_parser.lo: src/$(am__dirstamp) \


 libdiametereap.la: $(libdiametereap_la_OBJECTS) $(libdiametereap_la_DEPENDENCIES) 

-       $(CXXLINK) -rpath $(libdir) $(libdiametereap_la_LDFLAGS) $(libdiametereap_la_OBJECTS) $(libdiametereap_la_LIBADD) $(LIBS)

+       $(CXXLINK) -rpath $(libdir) $(libdiametereap_la_LDFLAGS) $(libdiametereap_la_OBJECTS) $(libdiametereap_la_LIBADD) $(LIBS) -lcrypto



        @list='$(noinst_PROGRAMS)'; for p in $$list; do \

@@ -436,22 +436,22 @@ test/client_test.$(OBJEXT): test/$(am__d


 client_test$(EXEEXT): $(client_test_OBJECTS) $(client_test_DEPENDENCIES) 

        @rm -f client_test$(EXEEXT)

-       $(CXXLINK) $(client_test_LDFLAGS) $(client_test_OBJECTS) $(client_test_LDADD) $(LIBS)

+       $(CXXLINK) $(client_test_LDFLAGS) $(client_test_OBJECTS) $(client_test_LDADD) $(LIBS) -lcrypto

 test/client_test_tls.$(OBJEXT): test/$(am__dirstamp) \


 client_test_tls$(EXEEXT): $(client_test_tls_OBJECTS) $(client_test_tls_DEPENDENCIES) 

        @rm -f client_test_tls$(EXEEXT)

-       $(CXXLINK) $(client_test_tls_LDFLAGS) $(client_test_tls_OBJECTS) $(client_test_tls_LDADD) $(LIBS)

+       $(CXXLINK) $(client_test_tls_LDFLAGS) $(client_test_tls_OBJECTS) $(client_test_tls_LDADD) $(LIBS) -lcrypto

 test/server_test.$(OBJEXT): test/$(am__dirstamp) \


 server_test$(EXEEXT): $(server_test_OBJECTS) $(server_test_DEPENDENCIES) 

        @rm -f server_test$(EXEEXT)

-       $(CXXLINK) $(server_test_LDFLAGS) $(server_test_OBJECTS) $(server_test_LDADD) $(LIBS)

+       $(CXXLINK) $(server_test_LDFLAGS) $(server_test_OBJECTS) $(server_test_LDADD) $(LIBS) -lcrypto

 test/server_test_tls.$(OBJEXT): test/$(am__dirstamp) \


 server_test_tls$(EXEEXT): $(server_test_tls_OBJECTS) $(server_test_tls_DEPENDENCIES) 

        @rm -f server_test_tls$(EXEEXT)

-       $(CXXLINK) $(server_test_tls_LDFLAGS) $(server_test_tls_OBJECTS) $(server_test_tls_LDADD) $(LIBS)

+       $(CXXLINK) $(server_test_tls_LDFLAGS) $(server_test_tls_OBJECTS) $(server_test_tls_LDADD) $(LIBS) -lcrypto



        -rm -f *.$(OBJEXT)

Appendix for the Diff that missed in Step 2 above

aaad_diameter_server.xml for aaad:

--- aaad_diameter_server.xml.orig       2008-04-05 15:14:33.000000000 -0700

+++ aaad_diameter_server.xml    2008-04-05 15:15:19.000000000 -0700

@@ -24,7 +24,7 @@




-      <dictionary>config/aaad_diameter_dictionary.xml</dictionary>

+      <dictionary>/etc/opendiameter/aaa/config/aaad_diameter_dictionary.xml</dictionary>




nasd_pana_paa.xml and  nasd_diameter_eap.xml for nasd:

--- nasd_pana_paa.xml.orig      2008-04-05 15:17:08.000000000 -0700

+++ nasd_pana_paa.xml   2008-04-05 15:18:55.000000000 -0700

@@ -12,7 +12,7 @@


         <!-- Filename of the parser dictionary -->

-        <dictionary_filename>config/dictionary.xml</dictionary_filename>

+        <dictionary_filename>/etc/opendiameter/nas/config/nasd_pana_dictionary.xml</dictionary_filename>

         <!-- Configurable retransmission parameters

              as specified in the PANA draft. See

--- nasd_diameter_eap.xml.orig  2008-04-05 15:16:57.000000000 -0700

+++ nasd_diameter_eap.xml       2008-04-05 15:19:05.000000000 -0700

@@ -24,7 +24,7 @@




-      <dictionary>config/nasd_diameter_eap_dictionary.xml</dictionary>

+      <dictionary>/etc/opendiameter/nas/config/nasd_diameter_eap_dictionary.xml</dictionary>





Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice is preserved.