FreeRadius Proxying and Message-Authenticator

Paolo Rotela paolo.rotela at bluetelecom.com
Wed Sep 14 19:06:50 CEST 2005


From: "Alan DeKok" <aland at ox.org>


> "Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
>> I wonder if it is correct to discard a packet based on the presence of an
>> attribute witch use is not defined by any standard.
>
>  No.  FreeRADIUS doesn't do that.
>
>  The Message-Authenticator attribute *is* defined, but not well.
>

Where is it defined? RFC 2869 only talks about how to handle it in Access-* 
packets, and particularily the handling with respect to EAP. It doesn't say 
that you MUST or MAY discard an Accounting-* packet with a missing or bad 
Message-Authenticator.

If there is an RFC in wich it says that this should be the behaviour, please 
give me the number, because I can't find it, and in your "Isuess and Fixes" 
document I couldn't find a reference wich points to such a document.

On the other hand, I don't believe it's correct to discard those packets 
because the document in wich FR's calculation of Message-Authenticator is 
based is in status of DRAFT, is not yet an RFC. So what you are doing like 
this (IMHO) is creating your own version of RADIUS, based on a DRAFT.

At the state of the art, I think, nobody can tell each other what 
Message-Authenticator is valid or not in this case... so nobody is able to 
discard a packet as "invalid", until an RFC arrives.

Eng. Paolo Rotela
CTO
Blue Telecom 




More information about the Freeradius-Users mailing list