Accounting Request Message Authenticator setting to 0x00
Michael Lecuyer
mjl at theorem.com
Fri Mar 16 00:47:03 CET 2007
It's impossible to put an Message-Authenticator in an accounting packet.
It has to do with the way the Accounting-Request packet is signed.
The MA is placed in the Access-Request packet as 16 zeroed bytes. The
HMAC-MD5 value is calculated over the entire packet and patched into the
MA's zeroed value. Since the authenticator is a random number the MA's
value does not matter when back patched in the packet.
An accounting packet (Accounting-Request) is signed by performing an MD5
over the entire packet and then stuffing that value into the
authenticator's position. So the accounting packet is already securely
signed and doesn't need another signature on top of that. It would be
impossible to calculate the MA since the authenticator starts out zeroed
in an accounting packet. When the accounting packet is signed either a
precalculated MA will be incorrect or a post-authenticated MA will
invalidate the accounting packet's signature.
Archna Mittal wrote:
> Hi,
>
> I am a newbie to Radius Protocol. I want to set the Message
> Authenticator value to 0x00 in my Accounting Request. I have tried bzero
> but its not working.
>
> Please let me know if there is a way to do it?
>
>
>
>
>
> Thanks & Regards,
>
> Regards,
>
> -Archna
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list