FreeRadius Proxying and Message-Authenticator
Alan DeKok
aland at ox.org
Wed Sep 14 22:13:46 CEST 2005
"Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
> Where is it defined? RFC 2869 only talks about how to handle it in Access-*
> packets, and particularily the handling with respect to EAP. It doesn't say
> that you MUST or MAY discard an Accounting-* packet with a missing or bad
> Message-Authenticator.
That's exactly what I meant.
> On the other hand, I don't believe it's correct to discard those packets
> because the document in wich FR's calculation of Message-Authenticator is
> based is in status of DRAFT, is not yet an RFC. So what you are doing like
> this (IMHO) is creating your own version of RADIUS, based on a DRAFT.
No. *Cisco* created it's own version of RADIUS by adding a
Message-Authenticator to the Accounting-Response.
And it *is* legal to drop packets which don't have a valid
Message-Authenticator. This is known as "security".
> At the state of the art, I think, nobody can tell each other what
> Message-Authenticator is valid or not in this case... so nobody is able to
> discard a packet as "invalid", until an RFC arrives.
The packet is not a valid one, because there is no valid method of
calculating Message-Authenticator. Therefore, it is an invalid packet.
Alan DeKok.
More information about the Freeradius-Users
mailing list