Per radius document:
When present in an Access-Request packet, Message-Authenticator is an HMAC-MD5 checksum of the entire Access-Request packet, including Type, ID, Length and authenticator, using the shared secret as the key
but if using the HMAC-MD5 algorithm, hackers can easily break data packets between radius and NAS.
Is it possible to set the HMAC-SHA256 algorithm for calculating and checking message-authenticator in freeradius? Special reminder, this is RADIUS/NAS encryption, not user-password encryption.
Currently, I plan to use HMAC-SHA256 algorithm for calculating message-authenticator in NAS, I want to set the HMAC-SHA256 algorithm for calculating message-authenticator in freeradius.
No. FreeRADIUS implements Message-Authenticator as per RFC2869 which uses an MD5 HMAC. The IETF is deprecating RADIUS in the clear, new implementations should use RADSEC (RADIUS over TLS).