- This topic has 1 reply, 1 voice, and was last updated 15 years, 5 months ago by Teodor Georgiev.
1st December 2005 at 03:40 #30432MikeGuest
Hi there guys!
Is anyone familiar with the Radius protocol?
I’m having a problem with the Authenticator field.
Accordingly to the RFC 2865, the Response Authenticator should be created like this;
Response Authenticator = MD5 (Code + Identifier + Length + Request Authenticator + Attributes + Shared Secret)
Now, I have a couple of questions about this:
Lest suppose that I’m replying to an Access-Request with an Access-Accept, and I got to create the Response Authenticator.
In this case the Code field in the MD5 function should be the value in the request (1) or in the response (2).
And what about the rest of the fields, like Identifier, Length, Request Authenticator, Attributes, etc, should they be the ones that came in the Access-Request, or the ones that I’m about to send in the Access-Accept.
So far I’m sending the Access-Accept packet just fine, all the attributes, identifier, everything match, except for the Authenticator.
I’m receiving an error message that says that the Authenticator does not match with the request ID, so I believe that somehow I’m creating it wrong.
Just to you to know guys I MD5 and array of bits containing all the required information.
Thanks, and I hope you can help me!
Mike3rd December 2005 at 18:49 #30433Teodor GeorgievGuest
right on your question:
1. regarding the attributes – no they should be not the same.
In Access-Request the NAS is sending to the Radius-server a set of attributes (like Username, Password, NAS-port, port-type, Service-Type, Calling-Station-ID and etc), by which
The Radius server should decide wether or not to allow access to the customer. In example, it will allow only customers with valid user&pass, who are asking for Service-Type = Login, or who are logging in only to NAS = x.x.x.x.
On Access-Accept, the Radius server is sending to the NAS (along with the instruction to let this user in) a set of instructions and rules against that user, like:
Session-Timeout = how many seconds this customer is allowed to stay;
What kind of MTU to set on the customer’s interface, wether or not to apply some kind of filter/access-list against the customer (set in the “Filter-ID” attribute).
The “Identifier” field at “Access-Accept” must match with the one sent with “Access-Request” (this is how NAS knows that this reply “Accept” is related to the same “Access-Request”).
Length is the calculated length of the message.
You should send this:
Code=2 (Access Accept)
Identifier (It remains the same as in Access-Request)
Attributes – the attributes in Access-Accept