RFC 6218, "Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material", April 2011

Errata ID: 8095
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Manjiri Gadagkar
Date Reported: 2024-09-06

Section 3.3 says:

            For responses (e.g., CoA-ACK [RFC5176], Accounting-Response
            [RFC2866], etc.), the value of the MAC field is a hash of
            the entire packet except the Response Authenticator in the
            header of the RADIUS packet using a shared secret as the
            key, as follows.

            MAC = HASH-ALG(Key, Type + Identifier + Length + Attributes)

It should say:

            For responses (e.g., CoA-ACK [RFC5176], Accounting-Response
            [RFC2866], etc.), the value of the MAC field is a hash
            calculated using the Request Authenticator from the request
            this packet is in reply to and a shared secret as the key
            as follows.

            MAC = HASH-ALG(Key, Type + Identifier + Length + Request
               Authenticator + Attributes)

Notes:

Parity with RFC 3579 section 3.2

For Access-Challenge, Access-Accept, and Access-Reject packets,
the Message-Authenticator is calculated as follows, using the
Request-Authenticator from the Access-Request this packet is in
reply to:

Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes)

Report New Errata