radclient and Message-Authenticator validation
Bjørn Mork
bjorn at mork.no
Mon May 7 12:07:55 CEST 2012
Jouni Malinen <j at w1.fi> writes:
> It is that "The Request Authenticator is taken from the corresponding
> CoA/Disconnect-Request" part that does not seem to be followed by the
> current rad_verify() implementation. It clears the Authenticator field
> to all zeros (which is the mechanism used for the Request message)
> instead of using the Authenticator field from the Request message when
> validating the ACK/NAK message. Is this a workaround for some deployed
> NAS implementations or can this be fixed to match with RFC 5176?
Form the git history, this looks like just an accident. Are there any
NAS out there actually sending a Message-Authenticator in these replies?
None of the ones I've tested does that, not even the FreeRADIUS server
itself.
I assume that's the reason noone has hit this before.
> The following change was enough to make this interoperate with my
> hostapd implementation.
Right, then there is one :-)
I'd say fix it, and then fix any NAS which would happen to break. RFC
compliance is a priority for the FreeRADIUS project as far as I know.
Bjørn
More information about the Freeradius-Devel
mailing list