Fix message-authenticator attribute check for rfc 5997
Frederic Leroy
fredo at starox.org
Fri Jul 1 15:15:56 CEST 2011
On Mon, Jun 27, 2011 at 01:09:39PM +0200, Alan DeKok wrote:
> Frederic Leroy wrote:
> > Hello,
> >
> > I have a device which adds message-authenticator attribute (80) in its
> > accounting-response.
> > If I understand correctly, it follows rfc5997 ( see section 5 ) which is
> > informational.
Section 5 shows that the server accounting response can have a message-authenticator avp.
> Ah... the authentication vector for Status-Server is random, while
> it's zero for Accounting-Request. As a result, the calculation of the
> response authenticator for Accounting-Request is different.
Rfc 3579, section 3.2, indicates how the Message-Authenticator is calculated on the server side.
The request-authenticator is not zero, but those of the request packet ( original->vector ) whereas the message-authenticator is zero.
This is the same case of PW_AUTHENTICATION_ACK, PW_AUTHENTICATION_REJECT, PW_ACCESS_CHALLENGE.
> > Using radclient, it rejects the accounting-response of my device.
> > So here is a patch to libfreeradius to make it works.
> That breaks accounting packets.
>
> I've put a better fix into git.
The patch don't work for me, I tested it ... sorry.
--
Frederic Leroy
More information about the Freeradius-Devel
mailing list