Re: AccountingReq message authenticator
There is no way to generate a message authenticator in an
Accounting-Request packet the usual way it's generated for an
Access-Request.
The accounting packet is signed by the client therefore there cannot be
two signatures created for the entire the packet. By the very nature of
creating signature the second signature will alter the packet's
contents invalidating the first signature.
The Message-Authenticator can be only one of two things. Either it's
calculated as a hash of the attributes or it's a random number (like the
Access-Request authenticator). From your information I suspect it's the
former.
You might try using the traditional MA calculation for the MA on just
the attributes with an empty (zeroed) MA present and back patch the MA.
If this works please let me know.
Or, if someone has accounting packets generated with proper MA's please
send them to me and I'll try some standard hashes. The MA is
traditionally created as an MD5-HMAC of the shared secret and the entire
packet's contents with an empty (16 byte) Message-Authenticator. For an
accounting packet MA use just the attribute block instead of the entire
packet try just the attributes with the empty MA.
Ashwin Gobind wrote:
Hi.
Is there anyway to generate a message authenticator for an accounting
request packet. At the moment I am using JRadius, I need to send an
accounting request message to another radius server. However after I
add the message authenticator and send to to another server, the other
server complains about “Invalid message authenticator” (Shared secret
is incorrect).
Here is some code :
//Proxy request to the wap gateway
DatagramSocket socket = new DatagramSocket();
socket.setSoTimeout(5000);
//Generate
authenticator
MessageDigest md5 = MessageDigest.getInstance("MD5");
md5.reset();
md5.update((byte)req.getCode());
md5.update((byte)req.getIdentifier());
int length =
req.getBytes().length;
byte [] authenticator =
req.getAuthenticator();
byte [] attributeBytes =
req.getAttributeBytes(req.getAttributes(),0);
for (int z=0; z
RadiusLog.debug("Autenticator["+z+"] Before = " + authenticator[z]);
RadiusLog.debug("Autenticator Length: " + authenticator.length);
RadiusLog.debug("Attributes
Length: " + attributeBytes.length);
RadiusLog.debug("Paket
Length: " + length);
String sharedSecret =
"testing123";
md5.update((byte)(length >> 8));
md5.update((byte)(length &
0xff));
md5.update(authenticator, 0,
authenticator.length);
md5.update(attributeBytes,
0, attributeBytes.length);
md5.update(sharedSecret.getBytes());
req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary.MESSAGE_AUTHENTICATOR,
authenticator));
System.arraycopy(md5.digest(), 0, authenticator, 0, 16);
“This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.net/legal/email.aspx
"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AccountingReq message authenticator
RFCs are a little messy about this issue.
Message-Authenticator in Accounting Packets are not well standarized, so
everyone does what they want about this.
Do a search in the list for "FreeRadius Proxying
and Message-Authenticator" for more information.
Eng. Paolo RotelaCTOBlue
Telecom
- Original Message -
From:
Ashwin Gobind
To: freeradius-users@lists.freeradius.org
Sent: Wednesday, September 28, 2005 11:20
AM
Subject: AccountingReq message
authenticator
Hi.
Is there anyway to generate a
message authenticator for an accounting request packet. At the moment I
am using JRadius, I need to send an accounting request message to another
radius server. However after I add the message authenticator and send to
to another server, the other server complains about Invalid message
authenticator (Shared secret is
incorrect).
Here is some code
:
//Proxy request to the wap
gateway
DatagramSocket socket = new DatagramSocket();
socket.setSoTimeout(5000);
//Generate authenticator
MessageDigest md5 =
MessageDigest.getInstance("MD5");
md5.reset();
md5.update((byte)req.getCode());
md5.update((byte)req.getIdentifier());
int length =
req.getBytes().length;
byte [] authenticator =
req.getAuthenticator();
byte [] attributeBytes =
req.getAttributeBytes(req.getAttributes(),0);
for (int z=0; z
RadiusLog.debug("Autenticator["+z+"] Before = " +
authenticator[z]);
RadiusLog.debug("Autenticator
Length: " + authenticator.length);
RadiusLog.debug("Attributes Length:
" + attributeBytes.length);
RadiusLog.debug("Paket Length: " +
length);
String sharedSecret =
"testing123";
md5.update((byte)(length >>
8));
md5.update((byte)(length &
0xff));
md5.update(authenticator, 0,
authenticator.length);
md5.update(attributeBytes, 0,
attributeBytes.length);
md5.update(sharedSecret.getBytes());
req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary.MESSAGE_AUTHENTICATOR,
authenticator));
System.arraycopy(md5.digest(), 0,
authenticator, 0, 16);This e-mail is sent
on the Terms and Conditions that can be accessed by Clicking on this
link http://www.vodacom.net/legal/email.aspx
"
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AccountingReq message authenticator
Hi.
Is there anyway to generate a message authenticator for an
accounting request packet. At the moment I am using JRadius, I need to send an
accounting request message to another radius server. However after I add the
message authenticator and send to to another server, the other server complains
about “Invalid message authenticator” (Shared secret is
incorrect).
Here is some code :
//Proxy request to the wap gateway
DatagramSocket
socket = new DatagramSocket();
socket.setSoTimeout(5000);
//Generate
authenticator
MessageDigest
md5 = MessageDigest.getInstance("MD5");
md5.reset();
md5.update((byte)req.getCode());
md5.update((byte)req.getIdentifier());
int length =
req.getBytes().length;
byte []
authenticator = req.getAuthenticator();
byte []
attributeBytes = req.getAttributeBytes(req.getAttributes(),0);
for (int z=0; z
RadiusLog.debug("Autenticator["+z+"]
Before = " + authenticator[z]);
RadiusLog.debug("Autenticator Length: " + authenticator.length);
RadiusLog.debug("Attributes Length: " + attributeBytes.length);
RadiusLog.debug("Paket Length: " + length);
String
sharedSecret = "testing123";
md5.update((byte)(length >> 8));
md5.update((byte)(length & 0xff));
md5.update(authenticator, 0, authenticator.length);
md5.update(attributeBytes,
0, attributeBytes.length);
md5.update(sharedSecret.getBytes());
req.overwriteAttribute(AttributeFactory.newAttribute(AttributeDictionary.MESSAGE_AUTHENTICATOR,
authenticator));
System.arraycopy(md5.digest(), 0, authenticator, 0, 16);
This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.net/legal/email.aspx
"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
