Fix message-authenticator attribute check for rfc 5997

Frederic Leroy fredo at
Fri Jul 1 15:15:56 CEST 2011

On Mon, Jun 27, 2011 at 01:09:39PM +0200, Alan DeKok wrote:
> Frederic Leroy wrote:
> > Hello,
> > 
> > I have a device which adds message-authenticator attribute (80) in its
> > accounting-response.
> > If I understand correctly, it follows rfc5997 ( see section 5 ) which is 
> > informational.

Section 5 shows that the server accounting response can have a message-authenticator avp.
>   Ah... the authentication vector for Status-Server is random, while
> it's zero for Accounting-Request.  As a result, the calculation of the
> response authenticator for Accounting-Request is different.

Rfc 3579, section 3.2, indicates how the Message-Authenticator is calculated on the server side.
The request-authenticator is not zero, but those of the request packet ( original->vector ) whereas the message-authenticator is zero.


> > Using radclient, it rejects the accounting-response of my device.
> > So here is a patch to libfreeradius to make it works.
>   That breaks accounting packets.
>   I've put a better fix into git.

The patch don't work for me, I tested it ... sorry.

Frederic Leroy

More information about the Freeradius-Devel mailing list