Problem with the attribute "Message-Authenticator"

Thu, 08 Feb 2007 05:39:16 -0800 

   I write a program to send Access-request packet to the Radius server.
The packet format is as follow:
   __________________________________________________________
   |  code = 1      |       ID = 1     |    Length = 73 ( 0x 00 49 )
                |
   __________________________________________________________
   |     16 bytes
authenticator
|
   __________________________________________________________
   |     user_name =
"test"                                                                   |
   __________________________________________________________
   |
chap_password
|
   __________________________________________________________
   |      eap_message =
"pdsicygx"                                                       |
   __________________________________________________________
   |      Message_authenticator
               |
   __________________________________________________________
   The Message_authenticator is calculated as follow:
    Message_authenticator = HMAC-MD5 (code ,ID, Length,16 bytes
Authenticator, user_name,chap_password,eap_message) ,
using the shared secret between NAS and radius server , in this case
,"testing123".
   While sending "chap" packets without the  "eap_message" and
"Message_authenticator" gets "Access request" , sending packets like above
gets  response from radius server as follow:
   rad_recv: Access-Request packet from host 202.117.7.223:1408, id=1,
length=73
   Received packet from 202.117.7.223 with invalid Message-Authenticator!
(Shared secret is incorrect.)
   Server rejecting request 1.
   Finished request 1
   Going to the next request
   --- Walking the entire request list ---
   Waking up in 1 seconds...
   --- Walking the entire request list ---
   Waking up in 1 seconds...
   --- Walking the entire request list ---
   Sending Access-Reject of id 1 to 202.117.7.223:1408

   Segmentations of the "Radiusd -X " are as follow:
   ...
   Module: Loaded eap
   eap: default_eap_type = "md5"
   eap: timer_expire = 60
   eap: ignore_unknown_eap_types = no
   eap: cisco_accounting_username_bug = no
   rlm_eap: Loaded and initialized type md5
   rlm_eap: Loaded and initialized type leap
   ...
   Can the "eap_message" attribute  be set randomly, in my packets,
"pdsicygx"?  Is it right to calculate "Message_authenticator" as I did?


Regards
Guoxian

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to