RFC Errata
RFC 2865, "Remote Authentication Dial In User Service (RADIUS)", June 2000
Note: This RFC has been updated by RFC 2868, RFC 3575, RFC 5080, RFC 6929, RFC 8044
Source of RFC: radius (ops)
Errata ID: 4077
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Axel Luttgens
Date Reported: 2014-08-10
Rejected by: Benoit Claise
Date Rejected: 2014-10-07
Section 3 says:
Response Authenticator The value of the Authenticator field in Access-Accept, Access- Reject, and Access-Challenge packets is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of: the RADIUS packet, beginning with the Code field, including the Identifier, the Length, the Request Authenticator field from the Access-Request packet, and the response Attributes, followed by the shared secret. That is, ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation.
It should say:
Response Authenticator The value of the Authenticator field in Access-Accept, Access- Reject, and Access-Challenge packets is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of: the response Code field, the Identifier, the response Length, the Request Authenticator, the response Attributes, and finally the shared secret. That is, ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + denotes concatenation.
Notes:
This sentence fragment "[...] consisting of: the RADIUS packet, [...]" tends to imply one is considering either the Access-Request packet, or the reply packet being under construction.
But this is inconsistent with the idea of having the the MD5 hash calculated over both the Request Authenticator and the response Attributes...
--VERIFIER NOTES--
As discussed with the AAA doctors