AccountingReq message authenticator
Michael Lecuyer
mjl at theorem.com
Wed Sep 28 16:48:42 CEST 2005
There is no way to generate a message authenticator in an
Accounting-Request packet the usual way it's generated for an
Access-Request.
The accounting packet is signed by the client therefore there cannot be
two signatures created for the entire the packet. By the very nature of
creating signature the second signature will alter the packet's
contents invalidating the first signature.
The Message-Authenticator can be only one of two things. Either it's
calculated as a hash of the attributes or it's a random number (like the
Access-Request authenticator). From your information I suspect it's the
former.
You might try using the traditional MA calculation for the MA on just
the attributes with an empty (zeroed) MA present and back patch the MA.
If this works please let me know.
Or, if someone has accounting packets generated with proper MA's please
send them to me and I'll try some standard hashes. The MA is
traditionally created as an MD5-HMAC of the shared secret and the entire
packet's contents with an empty (16 byte) Message-Authenticator. For an
accounting packet MA use just the attribute block instead of the entire
packet try just the attributes with the empty MA.
Ashwin Gobind wrote:
> Hi.
>
>
>
> Is there anyway to generate a message authenticator for an accounting
> request packet. At the moment I am using JRadius, I need to send an
> accounting request message to another radius server. However after I
> add the message authenticator and send to to another server, the other
> server complains about “Invalid message authenticator” (Shared secret
> is incorrect).
>
>
>
> Here is some code :
>
> //Proxy request to the wap gateway
>
>
> DatagramSocket socket = new DatagramSocket();
>
>
> socket.setSoTimeout(5000);
>
> //Generate
> authenticator
>
>
> MessageDigest md5 = MessageDigest.getInstance("MD5");
>
>
> md5.reset();
>
> md5.update((byte)req.getCode());
>
>
> md5.update((byte)req.getIdentifier());
>
> int length =
> req.getBytes().length;
>
> byte [] authenticator =
> req.getAuthenticator();
>
> byte [] attributeBytes =
> req.getAttributeBytes(req.getAttributes(),0);
>
> for (int z=0; z
> <authenticator.length ; z++ )
>
>
> RadiusLog.debug("Autenticator["+z+"] Before = " + authenticator[z]);
>
>
>
>
> RadiusLog.debug("Autenticator Length: " + authenticator.length);
>
> RadiusLog.debug("Attributes
> Length: " + attributeBytes.length);
>
> RadiusLog.debug("Paket
> Length: " + length);
>
>
>
> String sharedSecret =
> "testing123";
>
> md5.update((byte)(length >> 8));
>
> md5.update((byte)(length &
> 0xff));
>
> md5.update(authenticator, 0,
> authenticator.length);
>
> md5.update(attributeBytes,
> 0, attributeBytes.length);
>
>
> md5.update(sharedSecret.getBytes());
>
>
> req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary.MESSAGE_AUTHENTICATOR,
> authenticator));
>
>
>
>
> System.arraycopy(md5.digest(), 0, authenticator, 0, 16);
>
> “This e-mail is sent on the Terms and Conditions that can be accessed by
> Clicking on this link http://www.vodacom.net/legal/email.aspx
> <http://www.vodacom.net/legal/email.asp> "
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list