There is no way to generate a message authenticator in an Accounting-Request packet the usual way it's generated for an Access-Request. The accounting packet is signed by the client therefore there cannot be two signatures created for the entire the packet. By the very nature of creating signature the second signature will alter the packet's contents invalidating the first signature. The Message-Authenticator can be only one of two things. Either it's calculated as a hash of the attributes or it's a random number (like the Access-Request authenticator). From your information I suspect it's the former. You might try using the traditional MA calculation for the MA on just the attributes with an empty (zeroed) MA present and back patch the MA. If this works please let me know. Or, if someone has accounting packets generated with proper MA's please send them to me and I'll try some standard hashes. The MA is traditionally created as an MD5-HMAC of the shared secret and the entire packet's contents with an empty (16 byte) Message-Authenticator. For an accounting packet MA use just the attribute block instead of the entire packet try just the attributes with the empty MA. Ashwin Gobind wrote:
Hi.
Is there anyway to generate a message authenticator for an accounting request packet. At the moment I am using JRadius, I need to send an accounting request message to another radius server. However after I add the message authenticator and send to to another server, the other server complains about “Invalid message authenticator” (Shared secret is incorrect).
Here is some code :
//Proxy request to the wap gateway
DatagramSocket socket = new DatagramSocket();
socket.setSoTimeout(5000);
//Generate authenticator
MessageDigest md5 = MessageDigest.getInstance("MD5");
md5.reset();
md5.update((byte)req.getCode());
md5.update((byte)req.getIdentifier());
int length = req.getBytes().length;
byte [] authenticator = req.getAuthenticator();
byte [] attributeBytes = req.getAttributeBytes(req.getAttributes(),0);
for (int z=0; z <authenticator.length ; z++ )
RadiusLog.debug("Autenticator["+z+"] Before = " + authenticator[z]);
RadiusLog.debug("Autenticator Length: " + authenticator.length);
RadiusLog.debug("Attributes Length: " + attributeBytes.length);
RadiusLog.debug("Paket Length: " + length);
String sharedSecret = "testing123";
md5.update((byte)(length >> 8));
md5.update((byte)(length & 0xff));
md5.update(authenticator, 0, authenticator.length);
md5.update(attributeBytes, 0, attributeBytes.length);
md5.update(sharedSecret.getBytes());
req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary.MESSAGE_AUTHENTICATOR, authenticator));
System.arraycopy(md5.digest(), 0, authenticator, 0, 16);
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx <http://www.vodacom.net/legal/email.asp> "
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html