From: John Dennis Date: Tue, 20 Sep 2011 21:56:22 +0000 (-0400) Subject: Always send Message-Authenticator in radtest X-Git-Tag: release_2_1_12~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85ba2b2225c687a4929c962cc069dbfcd95100bd;p=thirdparty%2Ffreeradius-server.git Always send Message-Authenticator in radtest Originally Message-Authenticator was introduced to provide message integrity for EAP messages and originally the Message-Authenticator attribute was only required for EAP messages. But then RFC 5080 came along and suggested Message-Authenticator always be sent as best practice. Any Access-Request packet that performs authorization checks, including Call Check, SHOULD contain a Message-Authenticator attribute. RFC 5080 then goes on to say: ... server implementations may be configured to require the presence of a Message-Authenticator attribute in Access-Request packets. Requests not containing a Message-Authenticator attribute MAY then be silently discarded. The raddb/clients.conf has this configuration option to satisfy the above suggestion in RFC 5080: require_message_authenticator = no|yes If require_message_authenticator == yes then non-EAP auth-requests generated by radtest will fail because currently radtest only supplies the Message-Authenticator if EAP is being performed. With modern Radius servers (e.g. FreeRADIUS) there is no harm in providing the Message-Authenticator attribute for non-EAP packets, in fact it's actually recommended in RFC 5080. Therefore radtest should ALWAYS send the Message-Authenticator attribute. If it's EAP or if the server is configured with require_message_authenticator it must be present. If those conditions do not hold it's benign. However if require_message_authenticator is configured radtest will fail for non-EAP. --- diff --git a/src/main/radtest.in b/src/main/radtest.in index 729711acaf4..8fd6bbd5b26 100644 --- a/src/main/radtest.in +++ b/src/main/radtest.in @@ -115,11 +115,11 @@ fi echo "$PASSWORD = \"$2\"" echo "$NAS_ADDR_ATTR = $nas" echo "NAS-Port = $4" + echo "Message-Authenticator = 0x00" if [ "$radclient" = "$radeapclient" ] then echo "EAP-Code = Response" echo "EAP-Type-Identity = \"$1\"" - echo "Message-Authenticator = 0x00" fi if [ "$6" ] then