Reputation: 3
Set the HMAC-256 algorithm for calculating message-authenticator
Per radius document:
When present in an Access-Request packet, Message-Authenticator is an HMAC-MD5 checksum of the entire Access-Request packet, including Type, ID, Length and authenticator, using the shared secret as the key
but if using the HMAC-MD5 algorithm, hackers can easily break data packets between radius and NAS.
Is it possible to set the HMAC-SHA256 algorithm for calculating and checking message-authenticator in freeradius? Special reminder, this is RADIUS/NAS encryption, not user-password encryption.
Currently, I plan to use HMAC-SHA256 algorithm for calculating message-authenticator in NAS, I want to set the HMAC-SHA256 algorithm for calculating message-authenticator in freeradius.
Upvotes: 0
Views: 228
Answers (1)
Reputation: 6065
No. FreeRADIUS implements Message-Authenticator as per RFC2869 which uses an MD5 HMAC. The IETF is deprecating RADIUS in the clear, new implementations should use RADSEC (RADIUS over TLS).
Upvotes: 0
Related Questions
- RADIUS Proxy implementation Message-Authenticator error
- FreeRADIUS CoA Proxy [invalid Message-Authenticator] in response
- Freeradius 3.0.25 and special characters in shared secret
- How to validate a Huawei X-HW-SIGNATURE?
- node.js and express : how to wait for udp response
- Test RADIUS configuration method
- RADIUS AND EAP calculating the Message-Authenticator