Authenticator
The authenticator region, often 16 octets long, is the field in which the integrity of the message’s payload is inspected and verified. In this field, the most important octet is transmitted before any other—the value used to authenticate replies from the RADIUS server. This value is also used in the mechanism to conceal passwords.
There are two specific types of authenticator values: the request and
response values. Request authenticators
are
used
with
Access-Request and
Accounting-Request packets. In the request value,
the field is 16 octets long and is generated on a completely random
basis so as to thwart any attacks. While RADIUS
doesn’t make a provision for protecting
communication against wiretapping and packet capture, random values
coupled with a strong password make attacking and snooping difficult.
The response authenticator is used in
Access-Accept, Access-Reject,
and Access-Challenge packets. The value is
calculated using a one-way MD5 hash generated from the values of the
code, identifier, length, and request-authenticator regions of the
packet header, followed by the packet payload and the shared secret.
(I’ll cover shared secrets in detail later in this
chapter.) Example 2-1
shows an equation to
represent how this
hash is computed.
ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret)