[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Issue 7] Message Authenticator



Wolfgang Beck wrote:

"RFC 2869 is informational. I see that it is useful but
I hesitate to make it mandatory.

new text:
'Informational RfC 3579 [RFC3579], section 3.2 describes
a Message-Authenticator attribute which MAY be used to protect the
integrity of RADIUS messages.'"

Omitting Message-Authenticator enables an attacker to forge Access-Request
packets.  The reason RFC 3579 could not make use of Message-Authenticator
mandatory for all RADIUS packets (just for packets containing an
EAP-Message attribute) was because Message-Authenticator was not required
in RFC 2865, so that it was not sent by legacy RADIUS-clients.

That problem does not occur here;  Digest Authentication is a new RADIUS
capability.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>