Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Radius – Authenticator field

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #30432 Reply

    Hi there guys!

    Is anyone familiar with the Radius protocol?

    I’m having a problem with the Authenticator field.
    Accordingly to the RFC 2865, the Response Authenticator should be created like this;

    Response Authenticator = MD5 (Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret)

    Now, I have a couple of questions about this:

    Lest suppose that I’m replying to an Access-Request with an Access-Accept, and I got to create the Response Authenticator.

    In this case the Code field in the MD5 function should be the value in the request (1) or in the response (2).

    And what about the rest of the fields, like Identifier, Length, Request Authenticator, Attributes, etc, should they be the ones that came in the Access-Request, or the ones that I’m about to send in the Access-Accept.

    So far I’m sending the Access-Accept packet just fine, all the attributes, identifier, everything match, except for the Authenticator.
    I’m receiving an error message that says that the Authenticator does not match with the request ID, so I believe that somehow I’m creating it wrong.

    Just to you to know guys I MD5 and array of bits containing all the required information.

    Thanks, and I hope you can help me!


    #30433 Reply
    Teodor Georgiev

    Hi Mike,

    right on your question:

    1. regarding the attributes – no they should be not the same.
    In Access-Request the NAS is sending to the Radius-server a set of attributes (like Username, Password, NAS-port, port-type, Service-Type, Calling-Station-ID and etc), by which
    The Radius server should decide wether or not to allow access to the customer. In example, it will allow only customers with valid user&pass, who are asking for Service-Type = Login, or who are logging in only to NAS = x.x.x.x.

    On Access-Accept, the Radius server is sending to the NAS (along with the instruction to let this user in) a set of instructions and rules against that user, like:

    Session-Timeout = how many seconds this customer is allowed to stay;
    What kind of MTU to set on the customer’s interface, wether or not to apply some kind of filter/access-list against the customer (set in the “Filter-ID” attribute).

    The “Identifier” field at “Access-Accept” must match with the one sent with “Access-Request” (this is how NAS knows that this reply “Accept” is related to the same “Access-Request”).

    Length is the calculated length of the message.

    You should send this:

    Code=2 (Access Accept)
    Identifier (It remains the same as in Access-Request)
    … ..
    Attributes – the attributes in Access-Accept

    that is

Viewing 2 posts - 1 through 2 (of 2 total)
Reply To: Radius – Authenticator field
Your information:

<a href="" title="" rel="" target=""> <blockquote cite=""> <code> <pre class=""> <em> <strong> <del datetime="" cite=""> <ins datetime="" cite=""> <ul> <ol start=""> <li> <img src="" border="" alt="" height="" width="">