Accounting Request Message Authenticator setting to 0x00

Michael Lecuyer mjl at theorem.com
Fri Mar 16 00:47:03 CET 2007


It's impossible to put an Message-Authenticator in an accounting packet. 
It has to do with the way the Accounting-Request packet is signed.

The MA is placed in the Access-Request packet as 16 zeroed bytes. The 
HMAC-MD5 value is calculated over the entire packet and patched into the 
MA's zeroed value. Since the authenticator is a random number the MA's 
value does not matter when back patched in the packet.

An accounting packet (Accounting-Request) is signed by performing an MD5 
over the entire packet and then stuffing that value into the 
authenticator's position. So the accounting packet is already securely 
signed and doesn't need another signature on top of that. It would be 
impossible to calculate the MA since the authenticator starts out zeroed 
in an accounting packet. When the accounting packet is signed either a 
precalculated MA will be incorrect or a post-authenticated MA will 
invalidate the accounting packet's signature.

Archna Mittal wrote:
> Hi,
> 
>   I am a newbie to Radius Protocol.  I want to set the Message 
> Authenticator value to 0x00 in my Accounting Request. I have tried bzero 
> but its not working.
> 
> Please let me know if there is a way to do it?
> 
>  
> 
>  
> 
> Thanks & Regards,
> 
> Regards,
> 
> -Archna
> 
> 
> ------------------------------------------------------------------------
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list