Peter Lambrechtsen wrote:
So this means that the Message-Authenticator HMAC value should be calculated on the assumption the Packet Authenticator is all zero bytes
Yes. That's how FreeRADIUS works. The code is available, you just need to read it.
so it would look something like this:
2b90002b000000000000000000000000000000000105626f62501200000000000000000000000000000000
And then the Packet Authenticator and the Message-Authenticator gets added in and you end up with a packet like this:
2b90002b9b6756059c3b56559d67f44418ae1fb70105626f6250125d68bd8fc122f6f2346e51872ba21fc3
Not entirely. Order is important. Step 1: 2b90002b000000000000000000000000000000000105626f62501200000000000000000000000000000000 Step 2: 2b90002b000000000000000000000000000000000105626f6250125d68bd8fc122f6f2346e51872ba21fc3 Step 3: 2b90002b9b6756059c3b56559d67f44418ae1fb70105626f6250125d68bd8fc122f6f2346e51872ba21fc3
Is this correct? As that is how it seems to be working for me. And I just wanted to make sure I was approaching this correctly. As it seems a little strange that the CoA/DM messages would prefer to have a null Authenticator message when calculating a Message-Authenticator. But it seems to be the way it is.
You have to calculate one and then the other. There's no way to do both at the same time. Alan DeKok.