Message-Authenticator depending of request/response code
Julien Rische
jrische at redhat.com
Tue Oct 1 11:50:02 EDT 2024
Hello everyone,
We are currently working on implementing RADIUS Message-Authenticator for MIT
krb5[1] according to RFC2865[2] and draft-ietf-radext-deprecating-radius-03[3].
We are not sure about what packet codes we should generate and expect
Message-Authenticator to verify for. In draft-ietf-radext-deprecating-radius-03
we can read:
Section 5.2.1:
"Clients MUST add Message-Authenticator to all Access-Request packets."
Section 5.2.4:
"Servers MUST add Message-Authenticator as the first attribute in all
responses to Access-Request packets. That is, all Access-Accept,
Access-Reject, Access-Challenge, and Protocol-Error packets."
However, I see that the FreeRADIUS server seems to be generating
Message-Authenticators for additional packet codes[4]. We would like to enforce
the use of Message-Authenticator as much as possible, but we are not sure if it
is relevant for all packet codes.
Could you explain why this specific code set triggers Message-Authenticator
generation in the FreeRADIUS server? And do you have any recommendations about
the cases where we should generate Message-Authenticators to ensure
compatibility with FreeRADIUS?
Thank you in advance,
Julien Rische
Red Hat, Inc.
[1] https://github.com/krb5/krb5/pull/1370
[2] https://datatracker.ietf.org/doc/html/rfc2869
[3] https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-03
[4] https://github.com/FreeRADIUS/freeradius-server/blob/4312a2df8e0829c87811f42da7591a852350c068/src/protocols/radius/base.c#L367-L386
More information about the krbdev
mailing list