Accounting Request Message Authenticator setting to 0x00

tnt at kalik.co.yu tnt at kalik.co.yu
Fri Mar 16 01:34:37 CET 2007


Lets say you achieve that with some packet sniffing software. You don't
have radius packet any more. You have garbage. What now?

Ivan Kalik
Kalik Informatika ISP


Dana 16/3/2007, "Archna Mittal" <archna.mittal at globallogic.com> piše:

>Is it possible to put authenticator filed in Accounting Request message to
>0x00?
>
>Regards,
>-Archna
>
>-----Original Message-----
>From:
>freeradius-users-bounces+archna.mittal=globallogic.com at lists.freeradius.org
>[mailto:freeradius-users-bounces+archna.mittal=globallogic.com at lists.freerad
>ius.org] On Behalf Of Michael Lecuyer
>Sent: Thursday, March 15, 2007 6:47 PM
>To: FreeRadius users mailing list
>Subject: Re: Accounting Request Message Authenticator setting to 0x00
>
>It's impossible to put an Message-Authenticator in an accounting packet.
>It has to do with the way the Accounting-Request packet is signed.
>
>The MA is placed in the Access-Request packet as 16 zeroed bytes. The
>HMAC-MD5 value is calculated over the entire packet and patched into the
>MA's zeroed value. Since the authenticator is a random number the MA's
>value does not matter when back patched in the packet.
>
>An accounting packet (Accounting-Request) is signed by performing an MD5
>over the entire packet and then stuffing that value into the
>authenticator's position. So the accounting packet is already securely
>signed and doesn't need another signature on top of that. It would be
>impossible to calculate the MA since the authenticator starts out zeroed
>in an accounting packet. When the accounting packet is signed either a
>precalculated MA will be incorrect or a post-authenticated MA will
>invalidate the accounting packet's signature.
>
>Archna Mittal wrote:
>> Hi,
>>
>>   I am a newbie to Radius Protocol.  I want to set the Message
>> Authenticator value to 0x00 in my Accounting Request. I have tried bzero
>> but its not working.
>>
>> Please let me know if there is a way to do it?
>>
>>
>>
>>
>>
>> Thanks & Regards,
>>
>> Regards,
>>
>> -Archna
>>
>>
>> ------------------------------------------------------------------------
>>
>> -
>> List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list