Message-Authenticator Attribute
Alan DeKok
aland at ox.org
Fri Mar 24 22:59:48 CET 2006
"Eliot, Wireless and Server Administrator,
Great Lakes Internet" <support8 at greatlakes.net> wrote:
> Is the message authenticator attribute properly implemented in
> FreeRADIUS?
Huh? Would you expect the answer to be "no"?
> This indicates that anytime it adds a Message-Authenticator attribute,
> it simply sets it to 0. This would explain why I get:
>
> Message-Authenticator = 0x00000000000000000000000000000000
>
> In my proxied packets. However, it could just be that the attributes are
> getting displayed before the authenticator is actually computed and that
> the authenticator is getting computed and sent out correctly in the
> actual packet.
Yes, that's what it's doing.
> I read a post from a long time ago about putting the
> attribute (set to any value) in the response list, but that does not
> seem to work (unless I did it wrong):
>
> /etc/raddb/preproxy_users:
>
> DEFAULT
> Message-Authenticator = 1
You're adding it to the proxied packet. Read the docs.
> Anyway, I think I am running into a problem with not having this in the
> packets. I am proxying requests from my Windows XP SP2 supplicant to my
> Cisco 1310 AP
That's not proxying. The supplicant doesn't do RADIUS.
> When the proxied reply (Access-Challenge) goes out of the router back
> towards the Cisco 1310 AP and the supplicant, the Cisco or the
> supplicant (can't tell which) is ignoring the reply and then sending a
> new request.
That's most likely the "extended key" oid nonsense that Microsoft needs.
> Can anyone verify whether the Message-Authenticator attribute is or is
> not working properly? If it is not working, is it really likely to be
> causing this problem?
It works.
Alan DeKok.
More information about the Freeradius-Users
mailing list