I am write to say that the proxy for Access-Request
1) Must add the Proxy-State
2) Recomputed Message-Authenticator by using the HMAC-MD5 calculations with
the server secret
3) The Authenticator is not changed
4) The proxy might us a different Id and forwards the request
For Access-Response
1) Remove the Proxy-State
2) Recomputed Message-Authenticator by using the HMAC-MD5 calculations with
the client secret
3) Regenerate the Authenticator form the original Accept-Request one.
4) The proxy gets back the original request Id and forwards the response
And the HMAC-MD5 must be used with the following attributes: HMAC-MD5
(packet, paket_len, secret, secret_len, destination of the new
Message-Authenticator)
But therfc2869 protocol is saying
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes)
And from 2104 the keys are differents
void
hmac_md5(text, text_len, key, key_len, digest)
unsigned char* text; /* pointer to data stream */
int text_len; /* length of data stream */
unsigned char* key; /* pointer to authentication key */
int key_len; /* length of authentication key */
caddr_t digest; /* caller digest to be filled in */
Thanks,
Julien
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Puneet B
Sent: 01 July 2003 17:52
To: [EMAIL PROTECTED]
Subject: RE: EAP in a Proxy
> What are the operations that must be performed by a proxy on the Message-
> Authenticator?
>
>The proxy is added its proxy state (33) and after sends back the request to
> the server destinations.
>
> The HMAC-MD5 is using the packet length so when you change the packet you
> need to recompute the Message-Authenticator. As the Message-Authenticator
> contains a checksum calculated with the length of the packet.
The Message Authenticator has to be computed again, for one or more of the
following reasons:
1. The key used for the HMAC-MD5 calculation is the shared secret, and you
will most probably have two different secrets between the (NAS, proxy)
and (proxy, Radius server).
2. As you mention another attribute (Proxy-State) may be added to the
packet.
3. The proxy might use a different Id and Authenticator while forwarding the
packet.
Any of these results in a change in the contents of the packet and requires
re-signing the packet using HMAC-MD5 and putting the signature as the
Message-Authenticator.
Puneet
_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
