> What are the operations that must be performed by a proxy on the Message- > Authenticator? > >The proxy is added its proxy state (33) and after sends back the request to > the server destinations. > > The HMAC-MD5 is using the packet length so when you change the packet you > need to recompute the Message-Authenticator. As the Message-Authenticator > contains a checksum calculated with the length of the packet.
The Message Authenticator has to be computed again, for one or more of the following reasons: 1. The key used for the HMAC-MD5 calculation is the shared secret, and you will most probably have two different secrets between the (NAS, proxy) and (proxy, Radius server). 2. As you mention another attribute (Proxy-State) may be added to the packet. 3. The proxy might use a different Id and Authenticator while forwarding the packet. Any of these results in a change in the contents of the packet and requires re-signing the packet using HMAC-MD5 and putting the signature as the Message-Authenticator. Puneet _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
