----- Original Message -----
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org>
Sent: Thursday, September 15, 2005 2:50 PM
Subject: Re: FreeRadius Proxying and Message-Authenticator
"Paolo Rotela" <[EMAIL PROTECTED]> wrote:
...
I don't think this discussion is useful. You have your opinions,
but you're not responsible for server development.
I toutght that discussion was the main purpose of an "open" community...
because this way all people benefits with the opinions and views of other
people.
On the other hand, what's the security difference between accepting
Accounting-Response packets without a Message-Authenticator because there
is
no standard, and accepting Accounting-Response packets with an
non-recognized value of Message-Authenticator because there is no
standard
about how to calculate it? The most reasonable thing to do, I think, is
to
simply ignore the Attribute as it were not there.
Accounting-Response packets are signed, even without a
Message-Authenticator. This is required in the RFC's.
This discussion is NOT about "Response-Authenticator", wich is highly
documented in the RFC... this is about Message-Authenticator in Accounting
packets, wich is not well documented.
As for what's reasonable to do,m please feel free to patch your
local copy of FreeRADIUS to behave however you want.
Yes, I know...
> The packet is not a valid one, because there is no valid method of
> calculating Message-Authenticator. Therefore, it is an invalid packet.
If there is no valid method of calculating MA, how can you know that it's
invalid?
Maybe you misunderstood me. There is NO VALID VALUE for
Message-Authenticator in Accounting-Response packet
In the same file, at line 1203, you are using this calculated value,
again
without regarding packet code, to decide if continue or exit with error
status. Again, why, if there is no valid method?
Because I updated the code to implement the new proposed method of
calculating valid Message-Authenticators.
So you are implementing YOUR radius to support YOUR PROPOSED method... well
it seems some propietary...
Please stop arguing about this. If you feel strongly, patch your
local server. That's why you have source.
Yes, but I'm trying to keep a good product like FreeRADIUS interoperating
with some known and well-distributed products, wich doesn't estrictly
violates RFCs...
Know that FreeRADIUS will not interoperate this way with Cisco.
The main FreeRADIUS distribution, however, WILL NOT be patched to do
anything other than what I have described.
OK
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
