Message-Authenticator depending of request/response code

Julien Rische jrische at redhat.com
Tue Oct 1 11:50:02 EDT 2024


Hello everyone,

We are currently working on implementing RADIUS Message-Authenticator for MIT
krb5[1] according to RFC2865[2] and draft-ietf-radext-deprecating-radius-03[3].

We are not sure about what packet codes we should generate and expect
Message-Authenticator to verify for. In draft-ietf-radext-deprecating-radius-03
we can read:

Section 5.2.1:

  "Clients MUST add Message-Authenticator to all Access-Request packets."

Section 5.2.4:

  "Servers MUST add Message-Authenticator as the first attribute in all
   responses to Access-Request packets. That is, all Access-Accept,
   Access-Reject, Access-Challenge, and Protocol-Error packets."

However, I see that the FreeRADIUS server seems to be generating
Message-Authenticators for additional packet codes[4]. We would like to enforce
the use of Message-Authenticator as much as possible, but we are not sure if it
is relevant for all packet codes.

Could you explain why this specific code set triggers Message-Authenticator
generation in the FreeRADIUS server? And do you have any recommendations about
the cases where we should generate Message-Authenticators to ensure
compatibility with FreeRADIUS?

Thank you in advance,

Julien Rische
Red Hat, Inc.


[1] https://github.com/krb5/krb5/pull/1370
[2] https://datatracker.ietf.org/doc/html/rfc2869
[3] https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-03
[4] https://github.com/FreeRADIUS/freeradius-server/blob/4312a2df8e0829c87811f42da7591a852350c068/src/protocols/radius/base.c#L367-L386



More information about the krbdev mailing list