Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

radius request or response Authenticator #24

Open
joshenWang opened this issue Sep 1, 2024 · 2 comments
Open

radius request or response Authenticator #24

joshenWang opened this issue Sep 1, 2024 · 2 comments

Comments

@joshenWang
Copy link

Hi~
when i read radius Standard,i find the Authenticator,the description is as follows:
The NAS and RADIUS accounting server share a secret. The Request
Authenticator field in Accounting-Request packets contains a one-
way MD5 hash calculated over a stream of octets consisting of the
Code + Identifier + Length + 16 zero octets + request attributes +
shared secret (where + indicates concatenation). The 16 octet MD5
hash value is stored in the Authenticator field of the
Accounting-Request packet
ok, actually in my project,i need use this algorithm to check the legitimacy of request,do you have some suggestions?
@tsyd
Copy link
Member

tsyd commented Sep 1, 2024

Hello,

The library verifies the authenticator field in Accounting-Request packets:

aaa4j-radius/aaa4j-radius-core/src/main/java/org/aaa4j/radius/core/packet/PacketCodec.java

Lines 320 to 331 in 562f411

if (code == ACCOUNTING_REQUEST_CODE) {
Arrays.fill(bytes, 4, 4 + 16, (byte) 0x00);
MessageDigest md5 = getMd5Instance();
md5.update(bytes);
md5.update(secret);
byte[] calculatedAccountingRequestAuthenticator = md5.digest();
if (!Arrays.equals(authenticatorBytes, calculatedAccountingRequestAuthenticator)) {
throw new PacketCodecException("Invalid Accounting-Request packet authenticator");
}
}

If the RADIUS server receives an Accounting-Request packet with an invalid authenticator field, the handlePacket() method in your RadiusServer.Handler will not be called. The handleException() method in your RadiusServer.Handler implementation will be called so you can log the exception if you want.

The library also verifies the authenticator field in all the response packets: Access-Accept, Access-Reject, Access-Challenge, and Accounting-Response and throws an exception when calling send() on RadiusClient.

If a RADIUS packets contains a Message-Authenticator attribute, the library will also verify that and throw an exception if it is not correct. If you want to include a Message-Authenticator attribute in your request or response packets, you can add new MessageAuthenticator() and the library will automatically populate it with the calculated HMAC-MD5 of the entire packet when it's sent.

@joshenWang
Copy link
Author

thanks for your reply

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsyd @joshenWang