radclient CoA and salt-encrypted attributes

Alan DeKok aland at deployingradius.com
Sat Dec 15 16:14:29 CET 2007

Bjørn Mork wrote:
> We've been strugglig with CoA and LI on Juniper E-series.  The problem
> is that JUNOSe by default require a few salt-encrypted VSAs also when
> using CoA, which means that they must be encrypted using an accounting
> request authenticator.

  Ah, OK.

> The attached patch will use an accounting request authenticator when
> salt-encrypting for accounting, disconnect or coa.  It has been verified
> to work against JUNOSe 7.3.4:

  I've applied it, with one change:  the default for packets is to use
original->request.  This lets it work normally for CoA-ACK and
Disconnect-Ack, too.  With the patch as posted, it wouldn't work for
those two packets.

  It's a bit of a corner case, but it's worth thinking about.

  Alan DeKok.

More information about the Freeradius-Devel mailing list