Accounting Request Message Authenticator setting to 0x00

Michael Lecuyer mjl at theorem.com
Fri Mar 16 02:07:47 CET 2007


If your accounting-request is damaged then the server will reject it 
since the signature will be altered. The server performs a signature 
check on the Accounting-Request - basically resigning it and checking 
that the resulting Accounting-Request authenticators are the same.

It's a trust mechanism based on which end is responsible for the 
consequences of the transaction.

When authenticating the client doesn't trust the server and requires 
that the server sign the response packet. The client will grant 
privileges and so cannot afford to blindly trust the server.

In accounting the server doesn't trust the client and requires a signed 
packet from the client. In this case the server doesn't want to trust 
just any old packet for something as important as accounting.

tnt at kalik.co.yu wrote:
> Lets say you achieve that with some packet sniffing software. You don't
> have radius packet any more. You have garbage. What now?
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 16/3/2007, "Archna Mittal" <archna.mittal at globallogic.com> piše:
> 
> 
>>Is it possible to put authenticator filed in Accounting Request message to
>>0x00?
>>
>>Regards,
>>-Archna
>>
>>-----Original Message-----
>>From:
>>freeradius-users-bounces+archna.mittal=globallogic.com at lists.freeradius.org
>>[mailto:freeradius-users-bounces+archna.mittal=globallogic.com at lists.freerad
>>ius.org] On Behalf Of Michael Lecuyer
>>Sent: Thursday, March 15, 2007 6:47 PM
>>To: FreeRadius users mailing list
>>Subject: Re: Accounting Request Message Authenticator setting to 0x00
>>
>>It's impossible to put an Message-Authenticator in an accounting packet.
>>It has to do with the way the Accounting-Request packet is signed.
>>
>>The MA is placed in the Access-Request packet as 16 zeroed bytes. The
>>HMAC-MD5 value is calculated over the entire packet and patched into the
>>MA's zeroed value. Since the authenticator is a random number the MA's
>>value does not matter when back patched in the packet.
>>
>>An accounting packet (Accounting-Request) is signed by performing an MD5
>>over the entire packet and then stuffing that value into the
>>authenticator's position. So the accounting packet is already securely
>>signed and doesn't need another signature on top of that. It would be
>>impossible to calculate the MA since the authenticator starts out zeroed
>>in an accounting packet. When the accounting packet is signed either a
>>precalculated MA will be incorrect or a post-authenticated MA will
>>invalidate the accounting packet's signature.
>>
>>Archna Mittal wrote:
>>
>>>Hi,
>>>
>>>  I am a newbie to Radius Protocol.  I want to set the Message
>>>Authenticator value to 0x00 in my Accounting Request. I have tried bzero
>>>but its not working.
>>>
>>>Please let me know if there is a way to do it?
>>>
>>>
>>>
>>>
>>>
>>>Thanks & Regards,
>>>
>>>Regards,
>>>
>>>-Archna
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>-
>>>List info/subscribe/unsubscribe? See
>>
>>http://www.freeradius.org/list/users.html
>>
>>-
>>List info/subscribe/unsubscribe? See
>>http://www.freeradius.org/list/users.html
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 




More information about the Freeradius-Users mailing list