On Mon, Jun 27, 2011 at 01:09:39PM +0200, Alan DeKok wrote:
Frederic Leroy wrote:
Hello,
I have a device which adds message-authenticator attribute (80) in its accounting-response. If I understand correctly, it follows rfc5997 ( see section 5 ) which is informational.
Section 5 shows that the server accounting response can have a message-authenticator avp.
Ah... the authentication vector for Status-Server is random, while it's zero for Accounting-Request. As a result, the calculation of the response authenticator for Accounting-Request is different.
Rfc 3579, section 3.2, indicates how the Message-Authenticator is calculated on the server side. The request-authenticator is not zero, but those of the request packet ( original->vector ) whereas the message-authenticator is zero. This is the same case of PW_AUTHENTICATION_ACK, PW_AUTHENTICATION_REJECT, PW_ACCESS_CHALLENGE.
Using radclient, it rejects the accounting-response of my device. So here is a patch to libfreeradius to make it works. That breaks accounting packets.
I've put a better fix into git.
The patch don't work for me, I tested it ... sorry. -- Frederic Leroy