Message-Authenticator in Access-Challenge and Access-Accept
FreeRAD
yetifreerad at gmail.com
Thu Jan 30 14:00:02 UTC 2025
Thanks very much Alan! I’ll do a few tests.
On Thu, 30 Jan 2025 at 13:56, Alan DeKok <aland at deployingradius.com> wrote:
> On Jan 30, 2025, at 8:01 AM, FreeRAD <yetifreerad at gmail.com> wrote:
> >
> > In Access-Requests I can see that the Message-Authenticator is set to a
> > randomly generated string which I would expect. However in the
> > Access-Challenge and Access-Accept packets it is just set to all 0s (e.g.
> > 0x0000...). What could the reason be for a random string not being
> > generated for the replies from the server to the NAS?
>
> Because the debug output is printed before the packet is encoded. Once
> the packet is encoded, the packet is signed with the Message-Authenticator
> attribute.
>
> > I added the below in response to the BlastRADIUS vulnerability
> notification
> > on the FreeRADIUS but I was under the impression that FreeRADIUS should
> > still be generating it's own string based off of HMAC and shared secret
> etc.
>
> Use Wireshark, or radiusd -Xx, and you will see the raw packet
> contents. The Message-Authenbticator is not zero.
>
> Or, use radclient -x to send packets to the server. You will see that
> the server debug shows "Message-Authenticator = 0x00", but the packet that
> radclient receives has a different value.
>
> To put it another way, you don't tell the server how big the encoded
> packet is, either. Yet somehow the server figures it out, and does the
> right thing.
>
> It's fine. There's no need to worry. And if you worry, there are
> multiple ways to check what's going on.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list