Jouni Malinen <j@w1.fi> writes:
It is that "The Request Authenticator is taken from the corresponding CoA/Disconnect-Request" part that does not seem to be followed by the current rad_verify() implementation. It clears the Authenticator field to all zeros (which is the mechanism used for the Request message) instead of using the Authenticator field from the Request message when validating the ACK/NAK message. Is this a workaround for some deployed NAS implementations or can this be fixed to match with RFC 5176?
Form the git history, this looks like just an accident. Are there any NAS out there actually sending a Message-Authenticator in these replies? None of the ones I've tested does that, not even the FreeRADIUS server itself. I assume that's the reason noone has hit this before.
The following change was enough to make this interoperate with my hostapd implementation.
Right, then there is one :-) I'd say fix it, and then fix any NAS which would happen to break. RFC compliance is a priority for the FreeRADIUS project as far as I know. Bjørn