Message-Authenticator for CoA/DM vs Access Request/Accounting/Status

Peter Lambrechtsen peter at crypt.co.nz
Mon Jun 9 16:09:16 CEST 2014 

On Tue, Jun 10, 2014 at 1:28 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> Peter Lambrechtsen wrote:
> > So this means that the Message-Authenticator HMAC value should be
> > calculated on the assumption the Packet Authenticator is all zero bytes
>
>   Yes.  That's how FreeRADIUS works.  The code is available, you just
> need to read it.
>
> > so it would look something like this:
> >
> >
> 2b90002b000000000000000000000000000000000105626f62501200000000000000000000000000000000
> >
> > And then the Packet Authenticator and the Message-Authenticator gets
> > added in and you end up with a packet like this:
> >
> >
> 2b90002b9b6756059c3b56559d67f44418ae1fb70105626f6250125d68bd8fc122f6f2346e51872ba21fc3
>
>   Not entirely.  Order is important.
>
> Step 1:
>
>
> 2b90002b000000000000000000000000000000000105626f62501200000000000000000000000000000000
>
> Step 2:
>
>
> 2b90002b000000000000000000000000000000000105626f6250125d68bd8fc122f6f2346e51872ba21fc3
>
> Step 3:
>
>
> 2b90002b9b6756059c3b56559d67f44418ae1fb70105626f6250125d68bd8fc122f6f2346e51872ba21fc3
>
>
> > Is this correct? As that is how it seems to be working for me. And I
> > just wanted to make sure I was approaching this correctly. As it seems a
> > little strange that the CoA/DM messages would prefer to have a null
> > Authenticator message when calculating a Message-Authenticator. But it
> > seems to be the way it is.
>
>   You have to calculate one and then the other.  There's no way to do
> both at the same time.
>

Thanks Alan, that is what I had realised (after reading the code, and
wanting to make sure I was reading it correctly as C isn't my strong suit).
I had mis-understood and now know that the Packet Authenticator needs to be
a "proper" one based off the MD5 of the Packet Type/Identifier/Attributes
rather than just the purely random number that is used for the
Access-Request. After I figured out the MD5 encoding process from Step 2 to
Step 3 then everything works.

I now have a working JMeter test suite that can make Radius calls including
Message-Authenticator for all common packet types
Access-Request/Accounting/CoA/DM/Status after hacking TinyRadius. Seems to
work well for me. Now I just need to get the build a patch for the JMeter
folks to accept.

Happy to send you a link if you were interested.

Cheers

Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140610/4799e6fd/attachment.html>

More information about the Freeradius-Devel mailing list