FreeRadius Proxying and Message-Authenticator
Alan DeKok
aland at ox.org
Wed Sep 14 17:43:22 CEST 2005
"Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
> I wonder if it is correct to discard a packet based on the presence of an
> attribute witch use is not defined by any standard.
No. FreeRADIUS doesn't do that.
The Message-Authenticator attribute *is* defined, but not well.
> I've read the "aboba-radext-fixes" and I see that FR is calculating
> Message-Authenticator in Accounting packets this way. But there is
> no RFC about it... RFC2869 describes how to handle incorrect or
> missing Message-Authenticator in Access-* packets, it doesn't say
> that you must discard an Accounting packet with invalid Message
> Authenticator, because as you say there is no standard about how to
> calculate it.
Which is why the "Isuess & Fixes" document was written.
> I suggest at least a configuration option that can help to avoid this
> compatibility issue, giving the user the option of accepting or not
> "incorrect" MAs in Accounting.
That's a security bug, and will *not* go into the server.
> I'll try to find out the algorithm used by Cisco... If I happen to be
> successful, I'll post it.
That would be appreciated, thanks.
Alan DeKOk.
More information about the Freeradius-Users
mailing list