Cisco Cisco Identity Services Engine 3315 Appliance Manual Técnico

Contributed by Michal Garcarz, Cisco TAC Engineer.
Jan 20, 2016

Introduction
Authenticator Header
     Authentication of Response
        When should you expect validation failure?
     Password Hiding
     Retransmissions
     Accounting
Message-Authenticator Attribute
     When should the Message-Authenticator be used?
     When should you expect validation failure?
     Validate the Message-Authenticator Attribute
Related Information

This document describes two RADIUS security mechanisms:

Authenticator Header

• 

Message-Authenticator attribute

• 

This document covers what these security mechanisms are, how they are used, and when you should expect
validation failure.

Per RFC 2865, the Authenticator Header is 16 bytes long. When it is used in an Access-Request, it is called a
Request Authenticator. When it is used in any kind of response, it is called a Response Authenticator. It is
used for:

Authentication of response

• 

Password hiding

• 

If the server responds with the correct Response Authenticator, the client can compute if that response was
related to a valid request.

The client sends the request with the random Authenticator Header. Then, the server that sends the response
calculates the Response Authenticator with the use of the request packet along with the shared secret:

ResponseAuth = MD5(Code + ID + Length + RequestAuth + Attributes + Secret)