salt-encrypted VSAs?

Bjørn Mork bjorn at
Fri Aug 26 13:05:39 CEST 2005

"Alan DeKok" <aland at> writes:
> =?iso-8859-1?Q?Bj=F8rn_Mork?= <bjorn at> wrote:
>> My problem seems to be that FreeRADIUS will only encrypt string or
>> octet values, while Juniper has defined salt encrypted integer and
>> ipaddr VSAs too.
>   Try setting "encrypt=2" for attribute 59.  That should work there.

Yup.  Thanks.  I should have seen that 2 was the correct method.

>   For the non-string attributes, it may be possible to patch
> src/lib/radius.c to decrypt them, too.  I wouldn't be surprised if the
> patch was only a few lines.
>   But either you need C experience to write the patch, or you need to
> supply the packet data to someone who can write the patch.

This seems to do the job:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff.txt
Type: text/x-patch
Size: 1223 bytes
Desc: encrypted integer hack
URL: <>
-------------- next part --------------

Any chance of getting something like this into the 1.0 branch, or
should I prepare a nicer patch for CVS HEAD instead?

There is also this dictionary update to go with it, but it's pretty
useless without the patch:

-------------- next part --------------


More information about the Freeradius-Users mailing list