Tim Mayo <[EMAIL PROTECTED]> wrote:
> The 0906 snapshot has the same behavior in this regard as the 0830
> snapshot. :( I was able to get it to work by commenting out the check
> that causes the error message, but there needs to be a cleaner method.
I agree. The problem is that the hmac code used by
Message-Authenticator appears to work, so that's not the problem.
The server is at least sane in that the Message-Authenticator is
verified properly for sending/receiving using the FreeRADIUS code.
But it hasn't been well tested with other systems, and the RFC's do
not provide test vectors that we can use for verification.
> Does the server know when it has seen an EAP request from a given NAS?
Yes. It gets an EAP-Message with no data in the attribute.
> Is there any way for the server to know that a give
> Message-Authenticator should really be checked?
If the attribute is there, then it SHOULD be checked.
If you can give samply packets sent by the NAS, that would help a
*lot*. i.e. set the secret to 'testing123', and use 'tcpdump -x' to
record a few packets. Send the results to the list, and we can use
them for verification.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
