I write a program to send Access-request packet to the Radius server.
The packet format is as follow:
__
| code = 1 | ID = 1 |Length = 73 ( 0x 00 49 )
|
__
| 16 bytes
authenticator
|
__
| user_name =
test |
__
|
chap_password
|
__
| eap_message =
pdsicygx |
__
| Message_authenticator
|
__
The Message_authenticator is calculated as follow:
Message_authenticator = HMAC-MD5 (code ,ID, Length,16 bytes
Authenticator, user_name,chap_password,eap_message) ,
using the shared secret between NAS and radius server , in this case
,testing123.
While sending chap packets without the eap_message and
Message_authenticator gets Access request , sending packets like above
gets response from radius server as follow:
rad_recv: Access-Request packet from host 202.117.7.223:1408, id=1,
length=73
Received packet from 202.117.7.223 with invalid Message-Authenticator!
(Shared secret is incorrect.)
Server rejecting request 1.
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 1 to 202.117.7.223:1408
Segmentations of the Radiusd -X are as follow:
...
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
...
Can the eap_message attribute be set randomly, in my packets,
pdsicygx? Is it right to calculate Message_authenticator as I did?
Regards
Guoxian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html