Message-Authenticator in Access-Challenge and Access-Accept
Alan DeKok
aland at deployingradius.com
Thu Jan 30 13:55:40 UTC 2025
On Jan 30, 2025, at 8:01 AM, FreeRAD <yetifreerad at gmail.com> wrote:
>
> In Access-Requests I can see that the Message-Authenticator is set to a
> randomly generated string which I would expect. However in the
> Access-Challenge and Access-Accept packets it is just set to all 0s (e.g.
> 0x0000...). What could the reason be for a random string not being
> generated for the replies from the server to the NAS?
Because the debug output is printed before the packet is encoded. Once the packet is encoded, the packet is signed with the Message-Authenticator attribute.
> I added the below in response to the BlastRADIUS vulnerability notification
> on the FreeRADIUS but I was under the impression that FreeRADIUS should
> still be generating it's own string based off of HMAC and shared secret etc.
Use Wireshark, or radiusd -Xx, and you will see the raw packet contents. The Message-Authenbticator is not zero.
Or, use radclient -x to send packets to the server. You will see that the server debug shows "Message-Authenticator = 0x00", but the packet that radclient receives has a different value.
To put it another way, you don't tell the server how big the encoded packet is, either. Yet somehow the server figures it out, and does the right thing.
It's fine. There's no need to worry. And if you worry, there are multiple ways to check what's going on.
Alan DeKok.
More information about the Freeradius-Users
mailing list