Name

Message-Authenticator

Synopsis

Attribute Number

80

Length

18

Value

STRING

Allowed in

Access-Request, Access-Challenge, Access-Accept, Access-Reject

Prohibited in

Accounting-Request, Accounting-Response

Presence in Packet

Required in Access-Request, Access-Accept, Access-Reject, or Access-Challenge packets that contain EAP-Message; otherwise, not required

Maximum Iterations

1

The Message-Authenticator attribute is used to sign packets to ensure their integrity is protected. The attribute may be used in any Access-Request, but any packet that contains EAP-Messages must also have the Message-Authenticator attribute present. The Message-Authenticator itself is an HMAC-MD5 checksum of the entire Access-Request packet, containing the Type, ID, Length, and Authenticator field, using the shared secret as the key.

As mentioned earlier in the text, some RADIUS client machines calculate the Message-Authenticator incorrectly, while others use the same attribute values for different purposes. Of course this creates a mess. It’s also important to note that the use of the IPsec protocol really makes this a stopgap measure. When IPsec implementation becomes more widespread, this attribute will be made redundant.

Get RADIUS now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.