RE: Accounting Request Message Authenticator setting to 0x00
Thanks a lot for all the replies. Actually my project requirement needs the authenticator field set to all zero's. and moreover there is no secret as such with the radius server i.e. the secret field is Null while calling rad_send. You may assume that my project requires just the message in Radius Packet format without any secret or security signatures. Any pointers? Thanks in Advance, Regards, -Archna -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] On Behalf Of Alan DeKok Sent: Thursday, March 15, 2007 7:42 PM To: FreeRadius users mailing list Subject: Re: Accounting Request Message Authenticator setting to 0x00 Archna Mittal wrote: > Is it possible to put authenticator filed in Accounting Request message to > 0x00? If you're using FreeRADIUS, the code works, and does the right thing. If you're developing your own RADIUS software, then this is *not* the appropriate list to ask generic RADIUS questions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Request Message Authenticator setting to 0x00
If your accounting-request is damaged then the server will reject it since the signature will be altered. The server performs a signature check on the Accounting-Request - basically resigning it and checking that the resulting Accounting-Request authenticators are the same. It's a trust mechanism based on which end is responsible for the consequences of the transaction. When authenticating the client doesn't trust the server and requires that the server sign the response packet. The client will grant privileges and so cannot afford to blindly trust the server. In accounting the server doesn't trust the client and requires a signed packet from the client. In this case the server doesn't want to trust just any old packet for something as important as accounting. [EMAIL PROTECTED] wrote: > Lets say you achieve that with some packet sniffing software. You don't > have radius packet any more. You have garbage. What now? > > Ivan Kalik > Kalik Informatika ISP > > > Dana 16/3/2007, "Archna Mittal" <[EMAIL PROTECTED]> piše: > > >>Is it possible to put authenticator filed in Accounting Request message to >>0x00? >> >>Regards, >>-Archna >> >>-Original Message- >>From: >>[EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] >>ius.org] On Behalf Of Michael Lecuyer >>Sent: Thursday, March 15, 2007 6:47 PM >>To: FreeRadius users mailing list >>Subject: Re: Accounting Request Message Authenticator setting to 0x00 >> >>It's impossible to put an Message-Authenticator in an accounting packet. >>It has to do with the way the Accounting-Request packet is signed. >> >>The MA is placed in the Access-Request packet as 16 zeroed bytes. The >>HMAC-MD5 value is calculated over the entire packet and patched into the >>MA's zeroed value. Since the authenticator is a random number the MA's >>value does not matter when back patched in the packet. >> >>An accounting packet (Accounting-Request) is signed by performing an MD5 >>over the entire packet and then stuffing that value into the >>authenticator's position. So the accounting packet is already securely >>signed and doesn't need another signature on top of that. It would be >>impossible to calculate the MA since the authenticator starts out zeroed >>in an accounting packet. When the accounting packet is signed either a >>precalculated MA will be incorrect or a post-authenticated MA will >>invalidate the accounting packet's signature. >> >>Archna Mittal wrote: >> >>>Hi, >>> >>> I am a newbie to Radius Protocol. I want to set the Message >>>Authenticator value to 0x00 in my Accounting Request. I have tried bzero >>>but its not working. >>> >>>Please let me know if there is a way to do it? >>> >>> >>> >>> >>> >>>Thanks & Regards, >>> >>>Regards, >>> >>>-Archna >>> >>> >>> >>> >>>- >>>List info/subscribe/unsubscribe? See >> >>http://www.freeradius.org/list/users.html >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html >> >> > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Request Message Authenticator setting to 0x00
Archna Mittal wrote: > Is it possible to put authenticator filed in Accounting Request message to > 0x00? If you're using FreeRADIUS, the code works, and does the right thing. If you're developing your own RADIUS software, then this is *not* the appropriate list to ask generic RADIUS questions. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting Request Message Authenticator setting to 0x00
Lets say you achieve that with some packet sniffing software. You don't have radius packet any more. You have garbage. What now? Ivan Kalik Kalik Informatika ISP Dana 16/3/2007, "Archna Mittal" <[EMAIL PROTECTED]> piše: >Is it possible to put authenticator filed in Accounting Request message to >0x00? > >Regards, >-Archna > >-Original Message- >From: >[EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] >ius.org] On Behalf Of Michael Lecuyer >Sent: Thursday, March 15, 2007 6:47 PM >To: FreeRadius users mailing list >Subject: Re: Accounting Request Message Authenticator setting to 0x00 > >It's impossible to put an Message-Authenticator in an accounting packet. >It has to do with the way the Accounting-Request packet is signed. > >The MA is placed in the Access-Request packet as 16 zeroed bytes. The >HMAC-MD5 value is calculated over the entire packet and patched into the >MA's zeroed value. Since the authenticator is a random number the MA's >value does not matter when back patched in the packet. > >An accounting packet (Accounting-Request) is signed by performing an MD5 >over the entire packet and then stuffing that value into the >authenticator's position. So the accounting packet is already securely >signed and doesn't need another signature on top of that. It would be >impossible to calculate the MA since the authenticator starts out zeroed >in an accounting packet. When the accounting packet is signed either a >precalculated MA will be incorrect or a post-authenticated MA will >invalidate the accounting packet's signature. > >Archna Mittal wrote: >> Hi, >> >> I am a newbie to Radius Protocol. I want to set the Message >> Authenticator value to 0x00 in my Accounting Request. I have tried bzero >> but its not working. >> >> Please let me know if there is a way to do it? >> >> >> >> >> >> Thanks & Regards, >> >> Regards, >> >> -Archna >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Accounting Request Message Authenticator setting to 0x00
Is it possible to put authenticator filed in Accounting Request message to 0x00? Regards, -Archna -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ius.org] On Behalf Of Michael Lecuyer Sent: Thursday, March 15, 2007 6:47 PM To: FreeRadius users mailing list Subject: Re: Accounting Request Message Authenticator setting to 0x00 It's impossible to put an Message-Authenticator in an accounting packet. It has to do with the way the Accounting-Request packet is signed. The MA is placed in the Access-Request packet as 16 zeroed bytes. The HMAC-MD5 value is calculated over the entire packet and patched into the MA's zeroed value. Since the authenticator is a random number the MA's value does not matter when back patched in the packet. An accounting packet (Accounting-Request) is signed by performing an MD5 over the entire packet and then stuffing that value into the authenticator's position. So the accounting packet is already securely signed and doesn't need another signature on top of that. It would be impossible to calculate the MA since the authenticator starts out zeroed in an accounting packet. When the accounting packet is signed either a precalculated MA will be incorrect or a post-authenticated MA will invalidate the accounting packet's signature. Archna Mittal wrote: > Hi, > > I am a newbie to Radius Protocol. I want to set the Message > Authenticator value to 0x00 in my Accounting Request. I have tried bzero > but its not working. > > Please let me know if there is a way to do it? > > > > > > Thanks & Regards, > > Regards, > > -Archna > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Request Message Authenticator setting to 0x00
It's impossible to put an Message-Authenticator in an accounting packet. It has to do with the way the Accounting-Request packet is signed. The MA is placed in the Access-Request packet as 16 zeroed bytes. The HMAC-MD5 value is calculated over the entire packet and patched into the MA's zeroed value. Since the authenticator is a random number the MA's value does not matter when back patched in the packet. An accounting packet (Accounting-Request) is signed by performing an MD5 over the entire packet and then stuffing that value into the authenticator's position. So the accounting packet is already securely signed and doesn't need another signature on top of that. It would be impossible to calculate the MA since the authenticator starts out zeroed in an accounting packet. When the accounting packet is signed either a precalculated MA will be incorrect or a post-authenticated MA will invalidate the accounting packet's signature. Archna Mittal wrote: > Hi, > > I am a newbie to Radius Protocol. I want to set the Message > Authenticator value to 0x00 in my Accounting Request. I have tried bzero > but its not working. > > Please let me know if there is a way to do it? > > > > > > Thanks & Regards, > > Regards, > > -Archna > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Request Message Authenticator setting to 0x00
No. It's not allowed in Accounting-Request. Ivan Kalik Kalik Informatika ISP Dana 15/3/2007, "Archna Mittal" <[EMAIL PROTECTED]> piše: >Hi, > > I am a newbie to Radius Protocol. I want to set the Message Authenticator >value to 0x00 in my Accounting Request. I have tried bzero but its not >working. > >Please let me know if there is a way to do it? > > > > > >Thanks & Regards, > >Regards, > >-Archna > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
