Message-Authenticator Attribute

Eliot, Wireless and Server Administrator, Great Lakes Internet support8 at greatlakes.net
Fri Mar 24 23:49:59 CET 2006


> >  I read a post from a long time ago about putting the
> > attribute (set to any value) in the response list, but that does not
> > seem to work (unless I did it wrong):
> > 
> > /etc/raddb/preproxy_users:
> > 
> > DEFAULT
> >   Message-Authenticator = 1
> 
>   You're adding it to the proxied packet.  Read the docs.

Right, because FreeRADIUS is acting as a proxy -- but it wasn't even a
problem, so I didn't really need to put that in there. Correct me if I'm
wrong, but EAP should be doing Message-Authenticator stuff without me
needing to tell it to add the attribute, right? It seems to be doing
just that.

> > Anyway, I think I am running into a problem with not having this in
the
> > packets. I am proxying requests from my Windows XP SP2 supplicant to
my
> > Cisco 1310 AP
> 
>   That's not proxying.  The supplicant doesn't do RADIUS.

Yeah, I suppose I could have worded that a bit more technically
accurate. The supplicant is sending the EAP requests to the Cisco, which
is sending RADIUS stuff to the router running FreeRADIUS, which is
proxying those RADIUS requests to the IAS machine. Sound right now?

> > When the proxied reply (Access-Challenge) goes out of the router
back
> > towards the Cisco 1310 AP and the supplicant, the Cisco or the
> > supplicant (can't tell which) is ignoring the reply and then sending
a
> > new request.
> 
>   That's most likely the "extended key" oid nonsense that Microsoft
needs.

Since you seem to know something about this, can you either:

A) Explain what the "extended key oid nonsense" is?
B) Point me to some place I can read about it?

I appreciate your help. 

Thanks,

Eliot Gable




More information about the Freeradius-Users mailing list