Message-Authenticator Attribute
Eliot, Wireless and Server Administrator, Great Lakes Internet
support8 at greatlakes.net
Fri Mar 24 21:54:25 CET 2006
Is the message authenticator attribute properly implemented in
FreeRADIUS? I see this in the code:
/*
* EAP-Message is always associated with
* Message-Authenticator but not vice-versa.
*
* Don't add a Message-Authenticator if it's already
* there.
*/
vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR);
if (!vp) {
vp = paircreate(PW_MESSAGE_AUTHENTICATOR, PW_TYPE_OCTETS);
memset(vp->strvalue, 0, AUTH_VECTOR_LEN);
vp->length = AUTH_VECTOR_LEN;
pairadd(&(request->reply->vps), vp);
}
This indicates that anytime it adds a Message-Authenticator attribute,
it simply sets it to 0. This would explain why I get:
Message-Authenticator = 0x00000000000000000000000000000000
In my proxied packets. However, it could just be that the attributes are
getting displayed before the authenticator is actually computed and that
the authenticator is getting computed and sent out correctly in the
actual packet. I read a post from a long time ago about putting the
attribute (set to any value) in the response list, but that does not
seem to work (unless I did it wrong):
/etc/raddb/preproxy_users:
DEFAULT
Message-Authenticator = 1
Anyway, I think I am running into a problem with not having this in the
packets. I am proxying requests from my Windows XP SP2 supplicant to my
Cisco 1310 AP, then my router running FreeRADIUS, then Microsoft IAS.
When the proxied reply (Access-Challenge) goes out of the router back
towards the Cisco 1310 AP and the supplicant, the Cisco or the
supplicant (can't tell which) is ignoring the reply and then sending a
new request.
Can anyone verify whether the Message-Authenticator attribute is or is
not working properly? If it is not working, is it really likely to be
causing this problem?
Thanks for any help on this.
Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and Systems Administrator
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324
Now offering Broadband Wireless Internet access in Croswell, Lexington,
Brown City, Yale, and Sandusky. Call for details.
More information about the Freeradius-Users
mailing list