"Paolo Rotela" <paolo.rotela@bluetelecom.com> wrote:
I wonder if it is correct to discard a packet based on the presence of an attribute witch use is not defined by any standard.
No. FreeRADIUS doesn't do that. The Message-Authenticator attribute *is* defined, but not well.
I've read the "aboba-radext-fixes" and I see that FR is calculating Message-Authenticator in Accounting packets this way. But there is no RFC about it... RFC2869 describes how to handle incorrect or missing Message-Authenticator in Access-* packets, it doesn't say that you must discard an Accounting packet with invalid Message Authenticator, because as you say there is no standard about how to calculate it.
Which is why the "Isuess & Fixes" document was written.
I suggest at least a configuration option that can help to avoid this compatibility issue, giving the user the option of accepting or not "incorrect" MAs in Accounting.
That's a security bug, and will *not* go into the server.
I'll try to find out the algorithm used by Cisco... If I happen to be successful, I'll post it.
That would be appreciated, thanks. Alan DeKOk.