Fwd: Accessing the "Authenticator" value from within a perl script

Lannar Dean ldd at rgnets.com
Wed Jun 28 15:53:44 UTC 2023

When using the perl module to process access-requests, is it possible to
get the "Authenticator" value (NOT the Message-Authenticator)?

There is a VSA which contains encoded data, which is using the encoding
mechanism specified in RFC2865, which requires the Authenticator to
decrypt. It does not decode properly when the dictionary specifies RFC2865
(encrypt=1) or RFC2868 (encrypt=2), because the encrypted data is sometimes
larger than 192 bytes which is not supported in the Password attribute.

For example, I need access to the following value, visible in a packet
capture, from within my perl script: Authenticator value
<https://i.stack.imgur.com/p6LTq.png> (not the Message-Authenticator AVP

The text to be decrypted is present in a VSA that is defined in a
dictionary, such as

ATTRIBUTE    MyVendors-Special-Passphrase     44 string encrypt=1

(also tried encrypt=2)

An example of the payload of the value is


I would like to decrypt the data manually inside a perl module, but in
order to do that I need the Authenticator value to use as a vector to the
decryption algorithm, which I haven't been able to access from my perl

Since neither encrypt=1 nor encrypt=2 results in the correct data, I would
like to do the decryption myself within perl.   If I obtain the
Authenticator value manually from a packet capture, I am able to complete
the process, but I would like to automate this.

Does anyone know of a way to get that value?

Thank you in advance!

More information about the Freeradius-Devel mailing list