Name
Message-Authenticator
Synopsis
Attribute Number |
80 |
Length |
18 |
Value |
STRING |
Allowed in |
Access-Request, Access-Challenge, Access-Accept, Access-Reject |
Prohibited in |
Accounting-Request, Accounting-Response |
Presence in Packet |
Required in Access-Request, Access-Accept, Access-Reject, or Access-Challenge packets that contain EAP-Message; otherwise, not required |
Maximum Iterations |
1 |
The
Message-Authenticator
attribute is used to sign packets to ensure their integrity is
protected. The attribute may be used in any
Access-Request
, but any packet that contains
EAP-Messages
must also have the
Message-Authenticator
attribute present. The
Message-Authenticator
itself is an HMAC-MD5
checksum of the entire Access-Request
packet,
containing the Type, ID, Length, and Authenticator field, using the
shared secret as the key.
As mentioned earlier in the text, some RADIUS client machines
calculate the Message-Authenticator
incorrectly,
while others use the same attribute values for different purposes. Of
course this creates a mess. It’s also important to
note that the use of the IPsec protocol really makes this a stopgap
measure. When IPsec implementation becomes more widespread, this
attribute will be made redundant.
Get RADIUS now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.