"Eliot, Wireless and Server Administrator, Great Lakes Internet" <support8@greatlakes.net> wrote:
Is the message authenticator attribute properly implemented in FreeRADIUS?
Huh? Would you expect the answer to be "no"?
This indicates that anytime it adds a Message-Authenticator attribute, it simply sets it to 0. This would explain why I get:
Message-Authenticator = 0x00000000000000000000000000000000
In my proxied packets. However, it could just be that the attributes are getting displayed before the authenticator is actually computed and that the authenticator is getting computed and sent out correctly in the actual packet.
Yes, that's what it's doing.
I read a post from a long time ago about putting the attribute (set to any value) in the response list, but that does not seem to work (unless I did it wrong):
/etc/raddb/preproxy_users:
DEFAULT Message-Authenticator = 1
You're adding it to the proxied packet. Read the docs.
Anyway, I think I am running into a problem with not having this in the packets. I am proxying requests from my Windows XP SP2 supplicant to my Cisco 1310 AP
That's not proxying. The supplicant doesn't do RADIUS.
When the proxied reply (Access-Challenge) goes out of the router back towards the Cisco 1310 AP and the supplicant, the Cisco or the supplicant (can't tell which) is ignoring the reply and then sending a new request.
That's most likely the "extended key" oid nonsense that Microsoft needs.
Can anyone verify whether the Message-Authenticator attribute is or is not working properly? If it is not working, is it really likely to be causing this problem?
It works. Alan DeKok.