Fwd: Request-Authenticator attribute removed from accounting log
Hi, I'm using a 3.1.x build of a few days ago. In previous versions (don't know exactly when it changed), the accounting log contained "Request-Authenticator = verified" for each received message. It seems that this was removed recently. When parsing the log, I check whether this field is present. My questions: * Is there still a way to include this in the log? * if not, why was it removed? thanks in advance! Best regards, Tom Carly
On Jan 30, 2017, at 5:18 AM, Tom Carly <tomcarly@gmail.com> wrote:
I'm using a 3.1.x build of a few days ago.
If you need the 3.1 features, OK. Otherwise you should stick with v3.0.
In previous versions (don't know exactly when it changed), the accounting log contained "Request-Authenticator = verified" for each received message. It seems that this was removed recently. When parsing the log, I check whether this field is present.
Why?
My questions: * Is there still a way to include this in the log? * if not, why was it removed?
It was removed because it no longer makes sense. It was originally added because Accounting-Request packets were allowed to have a request authenticator of all zeros. The "Request-Authenticator = verified" then meant that the Accounting-Request packet was properly signed. But... the "request authenticator of all zeros" has been forbidden by FreeRADIUS for the better part of a decade. Therefore the "Request-Authenticator = verified" was ALWAYS set, and was useless. Fix your script to not look for Request-Authenticator. Any logic you have based on that should be removed, and replaced with an "always true" setting for it. Alan DeKok.
participants (2)
-
Alan DeKok -
Tom Carly