Request-Authenticator attribute removed from accounting log

Alan DeKok aland at
Mon Jan 30 14:49:45 CET 2017

On Jan 30, 2017, at 5:18 AM, Tom Carly <tomcarly at> wrote:
> I'm using a 3.1.x build of a few days ago.

  If you need the 3.1 features, OK.  Otherwise you should stick with v3.0.

> In previous versions (don't know
> exactly when it changed), the accounting log contained
> "Request-Authenticator = verified" for each received message. It seems that
> this was removed recently. When parsing the log, I check whether this field
> is present.


> My questions:
> * Is there still a way to include this in the log?
> * if not, why was it removed?

  It was removed because it no longer makes sense.

  It was originally added because Accounting-Request packets were allowed to have a request authenticator of all zeros.  The "Request-Authenticator = verified" then meant that the Accounting-Request packet was properly signed.

  But... the "request authenticator of all zeros" has been forbidden by FreeRADIUS for the better part of a decade.  Therefore the "Request-Authenticator = verified" was ALWAYS set, and was useless.

  Fix your script to not look for Request-Authenticator.  Any logic you have based on that should be removed, and replaced with an "always true" setting for it.

  Alan DeKok.

More information about the Freeradius-Users mailing list