radius request or response Authenticator

[joshenWang]

Hi~
when i read radius Standard，i find the Authenticator,the description is as follows:
The NAS and RADIUS accounting server share a secret. The Request
Authenticator field in Accounting-Request packets contains a one-
way MD5 hash calculated over a stream of octets consisting of the
Code + Identifier + Length + 16 zero octets + request attributes +
shared secret (where + indicates concatenation). The 16 octet MD5
hash value is stored in the Authenticator field of the
Accounting-Request packet
ok, actually in my project,i need use this algorithm to check the legitimacy of request,do you have some suggestions?

[tsyd]

Hello,

The library verifies the authenticator field in Accounting-Request packets:

aaa4j-radius/aaa4j-radius-core/src/main/java/org/aaa4j/radius/core/packet/PacketCodec.java

Lines 320 to 331 in 562f411

	if (code == ACCOUNTING_REQUEST_CODE) {
	Arrays.fill(bytes, 4, 4 + 16, (byte) 0x00);
	MessageDigest md5 = getMd5Instance();
	md5.update(bytes);
	md5.update(secret);
	byte[] calculatedAccountingRequestAuthenticator = md5.digest();
	if (!Arrays.equals(authenticatorBytes, calculatedAccountingRequestAuthenticator)) {
	throw new PacketCodecException("Invalid Accounting-Request packet authenticator");
	}
	}

If the RADIUS server receives an Accounting-Request packet with an invalid authenticator field, the handlePacket() method in your RadiusServer.Handler will not be called. The handleException() method in your RadiusServer.Handler implementation will be called so you can log the exception if you want.

The library also verifies the authenticator field in all the response packets: Access-Accept, Access-Reject, Access-Challenge, and Accounting-Response and throws an exception when calling send() on RadiusClient.

If a RADIUS packets contains a Message-Authenticator attribute, the library will also verify that and throw an exception if it is not correct. If you want to include a Message-Authenticator attribute in your request or response packets, you can add new MessageAuthenticator() and the library will automatically populate it with the calculated HMAC-MD5 of the entire packet when it's sent.

[joshenWang]

thanks for your reply