Problem with the attribute "Message-Authenticator"

yao guoxian yaoguoxian at gmail.com
Thu Feb 8 13:37:59 CET 2007 

    I write a program to send Access-request packet to the Radius server.
The packet format is as follow:
    __________________________________________________________
    |  code = 1      |       ID = 1     |    Length = 73 ( 0x 00 49 )
                 |
    __________________________________________________________
    |     16 bytes
authenticator
|
    __________________________________________________________
    |     user_name =
"test"                                                                   |
    __________________________________________________________
    |
chap_password
|
    __________________________________________________________
    |      eap_message =
"pdsicygx"                                                       |
    __________________________________________________________
    |      Message_authenticator
                |
    __________________________________________________________
    The Message_authenticator is calculated as follow:
     Message_authenticator = HMAC-MD5 (code ,ID, Length,16 bytes
Authenticator, user_name,chap_password,eap_message) ,
using the shared secret between NAS and radius server , in this case
,"testing123".
    While sending "chap" packets without the  "eap_message" and
"Message_authenticator" gets "Access request" , sending packets like above
gets  response from radius server as follow:
    rad_recv: Access-Request packet from host 202.117.7.223:1408, id=1,
length=73
    Received packet from 202.117.7.223 with invalid Message-Authenticator!
(Shared secret is incorrect.)
    Server rejecting request 1.
    Finished request 1
    Going to the next request
    --- Walking the entire request list ---
    Waking up in 1 seconds...
    --- Walking the entire request list ---
    Waking up in 1 seconds...
    --- Walking the entire request list ---
    Sending Access-Reject of id 1 to 202.117.7.223:1408

    Segmentations of the "Radiusd -X " are as follow:
    ...
    Module: Loaded eap
    eap: default_eap_type = "md5"
    eap: timer_expire = 60
    eap: ignore_unknown_eap_types = no
    eap: cisco_accounting_username_bug = no
    rlm_eap: Loaded and initialized type md5
    rlm_eap: Loaded and initialized type leap
    ...
    Can the "eap_message" attribute  be set randomly, in my packets,
"pdsicygx"?  Is it right to calculate "Message_authenticator" as I did?


Regards
Guoxian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070208/68dbaa4d/attachment.html>

More information about the Freeradius-Users mailing list