FreeRadius Proxying and Message-Authenticator
Alan DeKok
aland at ox.org
Thu Sep 15 19:50:15 CEST 2005
"Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
...
I don't think this discussion is useful. You have your opinions,
but you're not responsible for server development.
> On the other hand, what's the security difference between accepting
> Accounting-Response packets without a Message-Authenticator because there is
> no standard, and accepting Accounting-Response packets with an
> non-recognized value of Message-Authenticator because there is no standard
> about how to calculate it? The most reasonable thing to do, I think, is to
> simply ignore the Attribute as it were not there.
Accounting-Response packets are signed, even without a
Message-Authenticator. This is required in the RFC's.
As for what's reasonable to do,m please feel free to patch your
local copy of FreeRADIUS to behave however you want.
> > The packet is not a valid one, because there is no valid method of
> > calculating Message-Authenticator. Therefore, it is an invalid packet.
>
> If there is no valid method of calculating MA, how can you know that it's
> invalid?
Maybe you misunderstood me. There is NO VALID VALUE for
Message-Authenticator in Accounting-Response packet
> In the same file, at line 1203, you are using this calculated value, again
> without regarding packet code, to decide if continue or exit with error
> status. Again, why, if there is no valid method?
Because I updated the code to implement the new proposed method of
calculating valid Message-Authenticators.
Please stop arguing about this. If you feel strongly, patch your
local server. That's why you have source.
The main FreeRADIUS distribution, however, WILL NOT be patched to do
anything other than what I have described.
Alan DeKok.
More information about the Freeradius-Users
mailing list