>From 23ffa5ef800bcae6161b8a66a1ac06c356a37efc Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Tue, 20 Sep 2011 17:56:22 -0400
Subject: [PATCH] Always send Message-Authenticator in radtest
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Originally Message-Authenticator was introduced to provide message
integrity for EAP messages and originally the Message-Authenticator
attribute was only required for EAP messages.

But then RFC 5080 came along and suggested Message-Authenticator
always be sent as best practice.

   Any Access-Request packet that performs authorization checks,
   including Call Check, SHOULD contain a Message-Authenticator
   attribute.

RFC 5080 then goes on to say:

   ... server implementations may be configured to require the
   presence of a Message-Authenticator attribute in Access-Request
   packets.  Requests not containing a Message-Authenticator attribute
   MAY then be silently discarded.

The raddb/clients.conf has this configuration option to satisfy the
above suggestion in RFC 5080:

   require_message_authenticator = no|yes

If require_message_authenticator == yes then non-EAP auth-requests
generated by radtest will fail because currently radtest only supplies
the Message-Authenticator if EAP is being performed. With modern
Radius servers (e.g. FreeRADIUS) there is no harm in providing the
Message-Authenticator attribute for non-EAP packets, in fact it's
actually recommended in RFC 5080.

Therefore radtest should ALWAYS send the Message-Authenticator
attribute. If it's EAP or if the server is configured with
require_message_authenticator it must be present. If those conditions
do not hold it's benign. However if require_message_authenticator is
configured radtest will fail for non-EAP.
---
 src/main/radtest.in |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/main/radtest.in b/src/main/radtest.in
index cc2ae12..d0e7101 100644
--- a/src/main/radtest.in
+++ b/src/main/radtest.in
@@ -120,11 +120,11 @@ fi
 	echo "$PASSWORD = \"$2\""
 	echo "$NAS_ADDR_ATTR = $nas"
 	echo "NAS-Port = $4"
+	echo "Message-Authenticator = 0x00"
 	if [ "$radclient" = "$radeapclient" ]
 	then
 	    echo "EAP-Code = Response"
 	    echo "EAP-Type-Identity = \"$1\""
-	    echo "Message-Authenticator = 0x00"
 	fi
 	if [ "$6" ]
 	then
-- 
1.7.6.2

