[RADIATOR] Message-Authenticator Attribute

Heikki Vatiainen hvn at open.com.au
Mon Nov 12 15:34:38 CST 2012

On 11/12/2012 05:28 PM, Renfer Stefan wrote:

> According to the RFC2869 the Message-Authenticator is defined as

> Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request
> Authenticator, Attributes)

Hello Stefan,

yes, you are correct. It's the Radiator packet dump output that is
causing the unexpected value you are seeing.

> And therefore the Message-Authenticator should be recalculate on a proxy
> as some of those are different,  but it doesn’t as you can see in the
> logs below:

The log shows the received Message-Authenticator is unchanged when the
request is proxied. What the packet dump shows the values in the format
they are handled by Radiator. For example, NAS-Port-Type has a human
readable text value instead of numeric value, the attributes are shown
as they were received and so on. Before sending, these values are
converted into appropriate binary format and the Message-Authenticator
value is only recalculated for the binary presentation.

If you look at the proxied packet, you will see the
Message-Authenticator in its final format which is different from what
the dump shows. In other words, the dumped valued is not the proxied,
recalculated value.

However, if it looks like there are problems with Message-Authenticator,
please let us know.


Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list