radclient and Message-Authenticator validation

Bjørn Mork bjorn at mork.no
Mon May 7 12:07:55 CEST 2012


Jouni Malinen <j at w1.fi> writes:

> It is that "The Request Authenticator is taken from the corresponding
> CoA/Disconnect-Request" part that does not seem to be followed by the
> current rad_verify() implementation. It clears the Authenticator field
> to all zeros (which is the mechanism used for the Request message)
> instead of using the Authenticator field from the Request message when
> validating the ACK/NAK message. Is this a workaround for some deployed
> NAS implementations or can this be fixed to match with RFC 5176?

Form the git history, this looks like just an accident.  Are there any
NAS out there actually sending a Message-Authenticator in these replies?
None of the ones I've tested does that, not even the FreeRADIUS server 
itself.

I assume that's the reason noone has hit this before.

> The following change was enough to make this interoperate with my
> hostapd implementation.

Right, then there is one :-)

I'd say fix it, and then fix any NAS which would happen to break.  RFC
compliance is a priority for the FreeRADIUS project as far as I know.



Bjørn


More information about the Freeradius-Devel mailing list