I write a program to send Access-request packet to the Radius server. The packet format is as follow: __________________________________________________________ | code = 1 | ID = 1 | Length = 73 ( 0x 00 49 ) | __________________________________________________________ | 16 bytes authenticator | __________________________________________________________ | user_name = "test" | __________________________________________________________ | chap_password | __________________________________________________________ | eap_message = "pdsicygx" | __________________________________________________________ | Message_authenticator | __________________________________________________________ The Message_authenticator is calculated as follow: Message_authenticator = HMAC-MD5 (code ,ID, Length,16 bytes Authenticator, user_name,chap_password,eap_message) , using the shared secret between NAS and radius server , in this case ,"testing123". While sending "chap" packets without the "eap_message" and "Message_authenticator" gets "Access request" , sending packets like above gets response from radius server as follow: rad_recv: Access-Request packet from host 202.117.7.223:1408, id=1, length=73 Received packet from 202.117.7.223 with invalid Message-Authenticator! (Shared secret is incorrect.) Server rejecting request 1. Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 1 to 202.117.7.223:1408
Segmentations of the "Radiusd -X " are as follow: ... Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap ... Can the "eap_message" attribute be set randomly, in my packets, "pdsicygx"? Is it right to calculate "Message_authenticator" as I did? Regards Guoxian
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html