<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Jun 10, 2014 at 1:28 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">Peter Lambrechtsen wrote:<br>
> So this means that the Message-Authenticator HMAC value should be<br>
> calculated on the assumption the Packet Authenticator is all zero bytes<br>
<br>
</div> Yes. That's how FreeRADIUS works. The code is available, you just<br>
need to read it.<br>
<div class=""><br>
> so it would look something like this:<br>
><br>
> 2b90002b000000000000000000000000000000000105626f62501200000000000000000000000000000000<br>
><br>
> And then the Packet Authenticator and the Message-Authenticator gets<br>
> added in and you end up with a packet like this:<br>
><br>
> 2b90002b9b6756059c3b56559d67f44418ae1fb70105626f6250125d68bd8fc122f6f2346e51872ba21fc3<br>
<br>
</div> Not entirely. Order is important.<br>
<br>
Step 1:<br>
<br>
2b90002b000000000000000000000000000000000105626f62501200000000000000000000000000000000<br>
<br>
Step 2:<br>
<br>
2b90002b000000000000000000000000000000000105626f6250125d68bd8fc122f6f2346e51872ba21fc3<br>
<br>
Step 3:<br>
<div class=""><br>
2b90002b9b6756059c3b56559d67f44418ae1fb70105626f6250125d68bd8fc122f6f2346e51872ba21fc3<br>
<br>
<br>
> Is this correct? As that is how it seems to be working for me. And I<br>
> just wanted to make sure I was approaching this correctly. As it seems a<br>
> little strange that the CoA/DM messages would prefer to have a null<br>
> Authenticator message when calculating a Message-Authenticator. But it<br>
> seems to be the way it is.<br>
<br>
</div> You have to calculate one and then the other. There's no way to do<br>
both at the same time.<br></blockquote><div><br></div><div>Thanks Alan, that is what I had realised (after reading the code, and wanting to make sure I was reading it correctly as C isn't my strong suit). I had mis-understood and now know that the Packet Authenticator needs to be a "proper" one based off the MD5 of the Packet Type/Identifier/Attributes rather than just the purely random number that is used for the Access-Request. After I figured out the MD5 encoding process from Step 2 to Step 3 then everything works.</div>
<div><br></div><div>I now have a working JMeter test suite that can make Radius calls including Message-Authenticator for all common packet types Access-Request/Accounting/CoA/DM/Status after hacking TinyRadius. Seems to work well for me. Now I just need to get the build a patch for the JMeter folks to accept.</div>
<div><br></div><div>Happy to send you a link if you were interested.</div><div><br></div><div>Cheers</div><div><br></div><div>Peter</div></div></div></div>