Message-Authenticator for CoA/DM vs Access Request/Accounting/Status
peter at crypt.co.nz
Mon Jun 9 16:09:16 CEST 2014
On Tue, Jun 10, 2014 at 1:28 AM, Alan DeKok <aland at deployingradius.com>
> Peter Lambrechtsen wrote:
> > So this means that the Message-Authenticator HMAC value should be
> > calculated on the assumption the Packet Authenticator is all zero bytes
> Yes. That's how FreeRADIUS works. The code is available, you just
> need to read it.
> > so it would look something like this:
> > And then the Packet Authenticator and the Message-Authenticator gets
> > added in and you end up with a packet like this:
> Not entirely. Order is important.
> Step 1:
> Step 2:
> Step 3:
> > Is this correct? As that is how it seems to be working for me. And I
> > just wanted to make sure I was approaching this correctly. As it seems a
> > little strange that the CoA/DM messages would prefer to have a null
> > Authenticator message when calculating a Message-Authenticator. But it
> > seems to be the way it is.
> You have to calculate one and then the other. There's no way to do
> both at the same time.
Thanks Alan, that is what I had realised (after reading the code, and
wanting to make sure I was reading it correctly as C isn't my strong suit).
I had mis-understood and now know that the Packet Authenticator needs to be
a "proper" one based off the MD5 of the Packet Type/Identifier/Attributes
rather than just the purely random number that is used for the
Access-Request. After I figured out the MD5 encoding process from Step 2 to
Step 3 then everything works.
I now have a working JMeter test suite that can make Radius calls including
Message-Authenticator for all common packet types
Access-Request/Accounting/CoA/DM/Status after hacking TinyRadius. Seems to
work well for me. Now I just need to get the build a patch for the JMeter
folks to accept.
Happy to send you a link if you were interested.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Devel