Message-Authenticator for CoA/DM vs Access Request/Accounting/Status
aland at deployingradius.com
Mon Jun 9 15:28:35 CEST 2014
Peter Lambrechtsen wrote:
> So this means that the Message-Authenticator HMAC value should be
> calculated on the assumption the Packet Authenticator is all zero bytes
Yes. That's how FreeRADIUS works. The code is available, you just
need to read it.
> so it would look something like this:
> And then the Packet Authenticator and the Message-Authenticator gets
> added in and you end up with a packet like this:
Not entirely. Order is important.
> Is this correct? As that is how it seems to be working for me. And I
> just wanted to make sure I was approaching this correctly. As it seems a
> little strange that the CoA/DM messages would prefer to have a null
> Authenticator message when calculating a Message-Authenticator. But it
> seems to be the way it is.
You have to calculate one and then the other. There's no way to do
both at the same time.
More information about the Freeradius-Devel