FreeRadius Proxying and Message-Authenticator

Paolo Rotela paolo.rotela at bluetelecom.com
Wed Sep 14 15:20:49 CEST 2005


I wonder if it is correct to discard a packet based on the presence of an 
attribute witch use is not defined by any standard. I've read the 
"aboba-radext-fixes" and I see that FR is calculating Message-Authenticator 
in Accounting packets this way. But there is no RFC about it... RFC2869 
describes how to handle incorrect or missing Message-Authenticator in 
Access-* packets, it doesn't say that you must discard an Accounting packet 
with invalid Message Authenticator, because as you say there is no standard 
about how to calculate it.

I suggest at least a configuration option that can help to avoid this 
compatibility issue, giving the user the option of accepting or not 
"incorrect" MAs in Accounting.

I'll try to find out the algorithm used by Cisco... If I happen to be 
successful, I'll post it.

Thanks


Date: Tue, 13 Sep 2005 17:57:05 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: FreeRadius Proxying and Message-Authenticator
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050913215705.0B8CA170D2 at mail.nitros9.org>

"Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
> Hi. I've downloaded FR 1.0.5 whch is supposed to have a bugfix for
> Message-Authenticator handling in Accounting-* messages.

  The issue is that the suggested method of calculatin
Message-Authenticator MAY NOT be the same as what Cisco's using.
Because there's no standard, Cisco may be doing almost *anything*.

> I'am missing something?

  If you can find out the algorithm used by Cisco, we may be able to
update FreeRADIUS to handle it.  Until then, there isn't much we can
do.


Ing. Paolo Rotela
Jefe Técnico
Blue Telecom 




More information about the Freeradius-Users mailing list