Message-Authenticator for CoA/DM vs Access Request/Accounting/Status

Alan DeKok aland at
Mon Jun 9 15:28:35 CEST 2014

Peter Lambrechtsen wrote:
> So this means that the Message-Authenticator HMAC value should be
> calculated on the assumption the Packet Authenticator is all zero bytes

  Yes.  That's how FreeRADIUS works.  The code is available, you just
need to read it.

> so it would look something like this:
> 2b90002b000000000000000000000000000000000105626f62501200000000000000000000000000000000
> And then the Packet Authenticator and the Message-Authenticator gets
> added in and you end up with a packet like this:
> 2b90002b9b6756059c3b56559d67f44418ae1fb70105626f6250125d68bd8fc122f6f2346e51872ba21fc3

  Not entirely.  Order is important.

Step 1:


Step 2:


Step 3:


> Is this correct? As that is how it seems to be working for me. And I
> just wanted to make sure I was approaching this correctly. As it seems a
> little strange that the CoA/DM messages would prefer to have a null
> Authenticator message when calculating a Message-Authenticator. But it
> seems to be the way it is.

  You have to calculate one and then the other.  There's no way to do
both at the same time.

  Alan DeKok.

More information about the Freeradius-Devel mailing list