I am trying to implement RADIUS protocol. As per the RFC 2866, for RADIUS Accounting, when calculating the Authenticator field these are the steps:
The Authenticator field in an Accounting-Response packet is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of the Accounting- Response Code, Identifier, Length, the Request Authenticator field from the Accounting-Request packet being replied to, and the response attributes if any, followed by the shared secret. The resulting 16 octet MD5 hash value is stored in the Authenticator field of the Accounting-Response packet.
I am trying to calculate it and I can not get the right value: Code = 5 (0x05) 1 byte Identifier: 134 (0x86) 1 byte Length: 20 (0x0014) 2 bytes Request Authenticator: bac85592365b2e786ad3095a1cf22646 , 16 bytes There are no Attributes in my response Shared-secret: 63 21 6d 40 35 32 32 35 (c!m@5225)
so the input for the MD% hash would be: 05860014bac85592365b2e786ad3095a1cf2264663216d4035323235 and I get: b7ac1e6909302b06bd021aede380dbc5 using these 2 web sites: http://www.md5hashgenerator.com/ and http://www.miraclesalad.com/webtools/md5.php
The actual response has the Authenticator as 9629702dca9469714fb423ca7b1525bc i am comparing looking at real RADIUS packets being sent by the client/server and the Authenticator that I calculate does not match the one sent by the Server. Any ideas what can be it?
The RFC 2865 at the end has a couple of examples. Example 1, using the shared
secret "xyzzy5461"
User Telnet to Specified Host
The NAS at 192.168.1.16 sends an Access-Request UDP packet to the
RADIUS Server for a user named nemo logging in on port 3 with
password "arctangent".
The Request Authenticator is a 16 octet random number generated by
the NAS.
The User-Password is 16 octets of password padded at end with nulls,
XORed with MD5(shared secret|Request Authenticator).
01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb
98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d
93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8
01 10 05 06 00 00 00 03
1 Code = Access-Request (1)
1 ID = 0
2 Length = 56
16 Request Authenticator
Attributes:
6 User-Name = "nemo"
18 User-Password
6 NAS-IP-Address = 192.168.1.16
6 NAS-Port = 3
The RADIUS server authenticates nemo, and sends an Access-Accept UDP
packet to the NAS telling it to telnet nemo to host 192.168.1.3.
The Response Authenticator is a 16-octet MD5 checksum of the code
(2), id (0), Length (38), the Request Authenticator from above, the
attributes in this reply, and the shared secret.
02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf
9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00
0e 06 c0 a8 01 03
1 Code = Access-Accept (2)
1 ID = 0 (same as in Access-Request)
2 Length = 38
16 Response Authenticator
Attributes:
6 Service-Type (6) = Login (1)
6 Login-Service (15) = Telnet (0)
6 Login-IP-Host (14) = 192.168.1.3
