I wonder if it is correct to discard a packet based on the presence of an
attribute witch use is not defined by any standard. I've read the
"aboba-radext-fixes" and I see that FR is calculating Message-Authenticator
in Accounting packets this way. But there is no RFC about it... RFC2869
describes how to handle incorrect or missing Message-Authenticator in
Access-* packets, it doesn't say that you must discard an Accounting packet
with invalid Message Authenticator, because as you say there is no standard
about how to calculate it.
I suggest at least a configuration option that can help to avoid this
compatibility issue, giving the user the option of accepting or not
"incorrect" MAs in Accounting.
I'll try to find out the algorithm used by Cisco... If I happen to be
successful, I'll post it.
Thanks
Date: Tue, 13 Sep 2005 17:57:05 -0400
From: "Alan DeKok" <[EMAIL PROTECTED]>
Subject: Re: FreeRadius Proxying and Message-Authenticator
To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
"Paolo Rotela" <[EMAIL PROTECTED]> wrote:
Hi. I've downloaded FR 1.0.5 whch is supposed to have a bugfix for
Message-Authenticator handling in Accounting-* messages.
The issue is that the suggested method of calculatin
Message-Authenticator MAY NOT be the same as what Cisco's using.
Because there's no standard, Cisco may be doing almost *anything*.
I'am missing something?
If you can find out the algorithm used by Cisco, we may be able to
update FreeRADIUS to handle it. Until then, there isn't much we can
do.
Ing. Paolo Rotela
Jefe Técnico
Blue Telecom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
