On Jun 28, 2023, at 11:53 AM, Lannar Dean via Freeradius-Devel <freeradius-devel@lists.freeradius.org> wrote:
When using the perl module to process access-requests, is it possible to get the "Authenticator" value (NOT the Message-Authenticator)?
it's in the virtual attribute Packet-Authentication-Vector. You'll have to copy that to a "real" attribute for it to show up in rlm_perl
There is a VSA which contains encoded data, which is using the encoding mechanism specified in RFC2865, which requires the Authenticator to decrypt. It does not decode properly when the dictionary specifies RFC2865 (encrypt=1) or RFC2868 (encrypt=2), because the encrypted data is sometimes larger than 192 bytes which is not supported in the Password attribute.
Edit src/lib/radius.c. Find MAX_PASS_LEN. Change (128) to (254). Recompile.
For example, I need access to the following value, visible in a packet capture, from within my perl script: Authenticator value <https://i.stack.imgur.com/p6LTq.png> (not the Message-Authenticator AVP <https://i.stack.imgur.com/dB4q4.png>)
The text to be decrypted is present in a VSA that is defined in a dictionary, such as
ATTRIBUTE MyVendors-Special-Passphrase 44 string encrypt=1
(also tried encrypt=2)
That uses a completely different encryption method, and won't work for attributes which are supposed to use "encrypt=1". TBH the simplest thing is to just change MAX_PASS_LEN. The RFCs say that User-Password is limited to 128 characters. But I can't for the life of me think of an issue with allowing passwords to be longer than 128 bytes. Since pretty much no one ever sends passwords that long, changing MAX_PASS_LEN won't really affect anyone. Alan DeKok.