Problem with the attribute "Message-Authenticator"

To: "freeradus.org" <freeradius-users@lists.freeradius.org>
Subject: Problem with the attribute "Message-Authenticator"
From: "yao guoxian" <yaoguoxian@gmail.com>
Date: Thu, 8 Feb 2007 20:37:59 +0800
Reply-to: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>

    I write a program to send Access-request packet to the Radius server. The packet format is as follow:
    __________________________________________________________
    | code = 1      |       ID = 1     |    Length = 73 ( 0x 00 49 )                  |
    __________________________________________________________
    |     16 bytes authenticator                                                               |
    __________________________________________________________
    |     user_name = "test"                                                                   |
    __________________________________________________________
    |     chap_password                                                                         |
    __________________________________________________________
    |      eap_message = "pdsicygx"                                                       |
__________________________________________________________
|    Message_authenticator |
__________________________________________________________
The Message_authenticator is calculated as follow:
   Message_authenticator = HMAC-MD5 (code ,ID, Length,16 bytes Authenticator, user_name,chap_password,eap_message) ,
using the shared secret between NAS and radius server , in this case ,"testing123".
    While sending "chap" packets without the "eap_message" and "Message_authenticator" gets "Access request " , sending packets like above gets response from radius server as follow:
    rad_recv: Access-Request packet from host 202.117.7.223:1408, id=1, length=73
    Received packet from 202.117.7.223 with invalid Message-Authenticator! (Shared secret is incorrect.)
    Server rejecting request 1.
    Finished request 1
    Going to the next request
    --- Walking the entire request list ---
    Waking up in 1 seconds...
    --- Walking the entire request list ---
    Waking up in 1 seconds...
    --- Walking the entire request list ---
    Sending Access-Reject of id 1 to 202.117.7.223:1408

    Segmentations of the "Radiusd -X " are as follow:
    ...
    Module: Loaded eap
    eap: default_eap_type = "md5"
    eap: timer_expire = 60
    eap: ignore_unknown_eap_types = no
    eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
    rlm_eap: Loaded and initialized type leap
    ...
    Can the "eap_message" attribute be set randomly, in my packets, "pdsicygx"? Is it right to calculate "Message_authenticator" as I did?


Regards
Guoxian

Follow-Ups:
- Re: Problem with the attribute "Message-Authenticator"
  - From: Alan DeKok <aland@deployingradius.com>

Previous by Date: Re: VALGRIND: Major impact on authentication!
Next by Date: VALGRIND: Major impact on authentication!
Previous by Thread: Problem with PEAP authentication
Next by Thread: Re: Problem with the attribute "Message-Authenticator"
Freeradius-Users February 2007 archives indexes sorted by: [ thread ] [ subject ] [ author ] [ date ]
Freeradius-Users list archive Table of Contents
More information about the Freeradius-Users mailing list

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.