"Julien Maerfeld" <[EMAIL PROTECTED]> wrote: > I am write to say that the proxy for Access-Request > 1) Must add the Proxy-State > 2) Recomputed Message-Authenticator by using the HMAC-MD5 calculations with > the server secret
Yes. > 3) The Authenticator is not changed No. > 4) The proxy might us a different Id and forwards the request Yes. > For Access-Response > 1) Remove the Proxy-State > 2) Recomputed Message-Authenticator by using the HMAC-MD5 calculations with > the client secret Yes. > 3) Regenerate the Authenticator form the original Accept-Request one. Huh? What do you mean by this? > 4) The proxy gets back the original request Id and forwards the response I'm not sure what you mean by this. > And the HMAC-MD5 must be used with the following attributes: HMAC-MD5 > (packet, paket_len, secret, secret_len, destination of the new > Message-Authenticator) <shrug> Whatever the RFC says. > But therfc2869 protocol is saying > Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, > Request Authenticator, Attributes) Yes... > And from 2104 the keys are differents No. You can look through the source to the server to discover how HMAC_MD5 works. It's probably easier than typing long messages to the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
