Message-Authenticator and Proxy

Alan DeKok aland at
Mon Aug 8 04:39:08 CEST 2005

"Xavier" <xavee2004 at> wrote:
> When FR poxies the request, it resets the Message-Authenticator attribute to 
> zero in a Access-Request packet.

  What you see in debug mode, is that the message authentictor is
always xero.  This is simply because it's printed out before it's
calculated.  Call it a minor bug in the debug output.

> therefore the radius server (third party) answers sometimes Accept and 
> sometimes reject.

  That doesn't make sense.  If the Message-Authenticator is wrong,
then the other server will *always* reject the Access-Request packets
sent by the FreeRADIUS.

> In order to solve this problem I need to know if FreeRADIUS has the good 
> behaviour.

  FreeRADIUS works, and it calculates the Message-Authenticator
correctly.  Look at the logs on the other server to see why the packet
is being rejected.

> I tried also to suppress the Message-Authenticator attribute with the 
> attr_rewrite module, but I didn't manage to.

  You can't.  It's calculated automatically.

> Below is the debug output of FreeRADIUS :

  That's nice.  What does the OTHER server say?

  Alan DeKok.

More information about the Freeradius-Users mailing list