Thomas Glanzmann wrote:
my initial thought that the state may only contain numbers, was wrong. Now I want to verify that the message authenticator sent by freeradius is correct, can you please walk me through how to do that?
Read the code.
I also added debugging code to freeradius so that it tells me that it creates the Authenticator after smsotp was called and the reply type is set to Access-Challenge. But it needs to be something and the Message Authenticator is the only thing that I can't currently verify, so I have the hope that freeradius does calculate it wrong for Access-Challenges at least when using the rlm_smsotp module. Please advice.
FreeRADIUS calculates the correct Message-Authenticator.
Shared secret between freeradius and client: testing123
PCAP File: http://thomas.glanzmann.de/tmp/freeradius.pcap
And I'm interested how I can verify that the Message Authentictor in the Access-Challenge is correct.
You're wasting your time. FreeRADIUS works. It works with 1000's of access points and switches. If it doesn't work with some vendors product, it's because that vendor doesn't implement RADIUS. I really can't say this any other way.
Btw. do you know of any 'radtest' client which supports challenge-response?
For specific authentication methods, radclient. For random things, no. Alan DeKok.