To add to Alans reply: > I am write to say that the proxy for Access-Request > 1) Must add the Proxy-State
the RFC says MAY rather than MUST, but the proxies I have seen do add the Proxy-State. > 2) Recomputed Message-Authenticator by using the HMAC-MD5 calculations with > the server secret > 3) The Authenticator is not changed > 4) The proxy might us a different Id and forwards the request the order of these steps will be different: you will calculate the Message Authenticator in the end, after sorting out the authenticator and new ID creation issues. Basically the authenticator has to sign the whole packet, so you need to prepare the packet first. > > For Access-Response > 1) Remove the Proxy-State > 2) Recomputed Message-Authenticator by using the HMAC-MD5 calculations with > the client secret > 3) Regenerate the Authenticator form the original Accept-Request one. yes, you need to create the response authenticator using the secret you share with the NAS (after you verify that the response authenticator you have got from the server is correct) > 4) The proxy gets back the original request Id and forwards the response yes, you need to reply with the ID corresponding to the request from the NAS (this could be different from the ID the proxy used with the Radius server) > And the HMAC-MD5 must be used with the following attributes: HMAC-MD5 > (packet, paket_len, secret, secret_len, destination of the new > Message-Authenticator) yes, and the implementation in RFC 2104 takes the same parameters in the same order, so you can use simply use the C code from the RFC if you want. Puneet _______________________________________________ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
