FreeRadius Proxying and Message-Authenticator
Paolo Rotela
paolo.rotela at bluetelecom.com
Thu Sep 15 20:26:39 CEST 2005
----- Original Message -----
From: "Alan DeKok" <aland at ox.org>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Thursday, September 15, 2005 2:50 PM
Subject: Re: FreeRadius Proxying and Message-Authenticator
> "Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
> ...
>
> I don't think this discussion is useful. You have your opinions,
> but you're not responsible for server development.
>
I toutght that discussion was the main purpose of an "open" community...
because this way all people benefits with the opinions and views of other
people.
>> On the other hand, what's the security difference between accepting
>> Accounting-Response packets without a Message-Authenticator because there
>> is
>> no standard, and accepting Accounting-Response packets with an
>> non-recognized value of Message-Authenticator because there is no
>> standard
>> about how to calculate it? The most reasonable thing to do, I think, is
>> to
>> simply ignore the Attribute as it were not there.
>
> Accounting-Response packets are signed, even without a
> Message-Authenticator. This is required in the RFC's.
>
This discussion is NOT about "Response-Authenticator", wich is highly
documented in the RFC... this is about Message-Authenticator in Accounting
packets, wich is not well documented.
> As for what's reasonable to do,m please feel free to patch your
> local copy of FreeRADIUS to behave however you want.
>
Yes, I know...
>> > The packet is not a valid one, because there is no valid method of
>> > calculating Message-Authenticator. Therefore, it is an invalid packet.
>>
>> If there is no valid method of calculating MA, how can you know that it's
>> invalid?
>
> Maybe you misunderstood me. There is NO VALID VALUE for
> Message-Authenticator in Accounting-Response packet
>
>> In the same file, at line 1203, you are using this calculated value,
>> again
>> without regarding packet code, to decide if continue or exit with error
>> status. Again, why, if there is no valid method?
>
> Because I updated the code to implement the new proposed method of
> calculating valid Message-Authenticators.
>
So you are implementing YOUR radius to support YOUR PROPOSED method... well
it seems some propietary...
> Please stop arguing about this. If you feel strongly, patch your
> local server. That's why you have source.
Yes, but I'm trying to keep a good product like FreeRADIUS interoperating
with some known and well-distributed products, wich doesn't estrictly
violates RFCs...
Know that FreeRADIUS will not interoperate this way with Cisco.
>
> The main FreeRADIUS distribution, however, WILL NOT be patched to do
> anything other than what I have described.
>
OK
More information about the Freeradius-Users
mailing list