Originally Message-Authenticator was introduced to provide message
integrity for EAP messages and originally the Message-Authenticator
attribute was only required for EAP messages.
But then RFC 5080 came along and suggested Message-Authenticator
always be sent as best practice.
Any Access-Request packet that performs authorization checks,
including Call Check, SHOULD contain a Message-Authenticator
attribute.
RFC 5080 then goes on to say:
... server implementations may be configured to require the
presence of a Message-Authenticator attribute in Access-Request
packets. Requests not containing a Message-Authenticator attribute
MAY then be silently discarded.
The raddb/clients.conf has this configuration option to satisfy the
above suggestion in RFC 5080:
require_message_authenticator = no|yes
If require_message_authenticator == yes then non-EAP auth-requests
generated by radtest will fail because currently radtest only supplies
the Message-Authenticator if EAP is being performed. With modern
Radius servers (e.g. FreeRADIUS) there is no harm in providing the
Message-Authenticator attribute for non-EAP packets, in fact it's
actually recommended in RFC 5080.
Therefore radtest should ALWAYS send the Message-Authenticator
attribute. If it's EAP or if the server is configured with
require_message_authenticator it must be present. If those conditions
do not hold it's benign. However if require_message_authenticator is
configured radtest will fail for non-EAP.
echo "$PASSWORD = \"$2\""
echo "$NAS_ADDR_ATTR = $nas"
echo "NAS-Port = $4"
+ echo "Message-Authenticator = 0x00"
if [ "$radclient" = "$radeapclient" ]
then
echo "EAP-Code = Response"
echo "EAP-Type-Identity = \"$1\""
- echo "Message-Authenticator = 0x00"
fi
if [ "$6" ]
then
projects / freeradius.git / commitdiff