radtest should always send Message-Authenticator
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Sep 21 13:47:06 CEST 2011
>
>
> If require_message_authenticator == yes then non-EAP auth-requests
> generated by radtest will fail because currently radtest only supplies
> the Message-Authenticator if EAP is being performed. With modern
> Radius servers (e.g. FreeRADIUS) there is no harm in providing the
> Message-Authenticator attribute for non-EAP packets, in fact it's
> actually recommended in RFC 5080.
>
> Therefore radtest should ALWAYS send the Message-Authenticator
> attribute. If it's EAP or if the server is configured with
> require_message_authenticator it must be present. If those conditions
> do not hold it's benign. However if require_message_authenticator is
> configured radtest will fail for non-EAP.
There are some instances where sending a message authenticator is destructive and will break things. For example where old RADIUS proxy severs (which have not implemented any special behaviour for Message-Authenticator) are part of a proxy chain, including Message-Authenticator in requests or responses which pass through those servers, will cause the requests/responses to be dropped by the parties on the other side.
Just an FYI in case you thought the modification was completely benign :).
-Arran
Arran Cudbard-Bell
a.cudbardb at networkradius.com
Technical consultant and solutions architect
15 Ave. du Granier, Meylan, France
+33 4 69 66 54 50
More information about the Freeradius-Devel
mailing list