"Paolo Rotela" <[EMAIL PROTECTED]> wrote: > Where is it defined? RFC 2869 only talks about how to handle it in Access-* > packets, and particularily the handling with respect to EAP. It doesn't say > that you MUST or MAY discard an Accounting-* packet with a missing or bad > Message-Authenticator.
That's exactly what I meant. > On the other hand, I don't believe it's correct to discard those packets > because the document in wich FR's calculation of Message-Authenticator is > based is in status of DRAFT, is not yet an RFC. So what you are doing like > this (IMHO) is creating your own version of RADIUS, based on a DRAFT. No. *Cisco* created it's own version of RADIUS by adding a Message-Authenticator to the Accounting-Response. And it *is* legal to drop packets which don't have a valid Message-Authenticator. This is known as "security". > At the state of the art, I think, nobody can tell each other what > Message-Authenticator is valid or not in this case... so nobody is able to > discard a packet as "invalid", until an RFC arrives. The packet is not a valid one, because there is no valid method of calculating Message-Authenticator. Therefore, it is an invalid packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
