radtest should always send Message-Authenticator

John Dennis jdennis at redhat.com
Wed Sep 21 00:50:17 CEST 2011 

Here is a small 1-line patch for radtest. This was originally filed as a 
bug by the NSA (https://bugzilla.redhat.com/show_bug.cgi?id=630072). It 
would be nice if this could be applied to 2.1.12 before it's released. 
The patch is attached in git format and can be applied with either "git 
am" or "git apply <attachement>" if you save the attachment.

I wrote up the justification for the change:
------------------------------------------------------------------

Originally Message-Authenticator was introduced to provide message
integrity for EAP messages and originally the Message-Authenticator
attribute was only required for EAP messages.

But then RFC 5080 came along and suggested Message-Authenticator
always be sent as best practice.

    Any Access-Request packet that performs authorization checks,
    including Call Check, SHOULD contain a Message-Authenticator
    attribute.

RFC 5080 then goes on to say:

    ... server implementations may be configured to require the
    presence of a Message-Authenticator attribute in Access-Request
    packets.  Requests not containing a Message-Authenticator attribute
    MAY then be silently discarded.

The raddb/clients.conf has this configuration option to satisfy the
above suggestion in RFC 5080:

    require_message_authenticator = no|yes

If require_message_authenticator == yes then non-EAP auth-requests
generated by radtest will fail because currently radtest only supplies
the Message-Authenticator if EAP is being performed. With modern
Radius servers (e.g. FreeRADIUS) there is no harm in providing the
Message-Authenticator attribute for non-EAP packets, in fact it's
actually recommended in RFC 5080.

Therefore radtest should ALWAYS send the Message-Authenticator
attribute. If it's EAP or if the server is configured with
require_message_authenticator it must be present. If those conditions
do not hold it's benign. However if require_message_authenticator is
configured radtest will fail for non-EAP.


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Always-send-Message-Authenticator-in-radtest.patch
Type: text/x-patch
Size: 2364 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110920/fc490377/attachment.bin>

More information about the Freeradius-Devel mailing list