-
Type: Bug
-
Status: Resolved (View Workflow)
-
Priority: Medium
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: ONOS & Apps
-
Labels:
-
Story Points:3
-
Epic Link:
As per RFC 2869 Section 5.14 describing Message-Authenticator attribute, the Request Authenticator header value should be used for generation of HMAC-MD5 hash for both Radius Access-request (client to server) and Radius Access-Challenge/Access-Accept/Access-Reject response (server to client). However, there is a flaw/missing part in RADIUS.checkMessageAuthenticator() method of base RADIUS implementation used in ONOS AAA application, which works fine only for Radius Request as it uses current value of Authenticator header for HMAC-MD5 calculation. This does not work correctly for validating Message-Authenticator attribute received in Radius Response (Access-Challenge/Accept/Reject) received by AAA application because the earlier sent value of Authentication header (not the current one received in Response) should be used for HMAC-MD5 calculation. This is causing failure of Message Authentication check for each Radius response and its counter is increasing everytime. Fix the issue by using the Request Authenticator value saved in State Machine for this check.
- relates to
-
SEBA-37 Operational Status RADIUS Accounting Server
- Resolved
# | Subject | Branch | Project | Status | CR | V |
---|---|---|---|---|---|---|
14909,2 | [SEBA-805] Using the Request Authenticator value saved in State Machine to check Message Authentication for each Radius response as per rfc 2869 | master | aaa | Status: MERGED | +2 | +1 |