Request-Authenticator attribute removed from accounting log
Alan DeKok
aland at deployingradius.com
Mon Jan 30 14:49:45 CET 2017
On Jan 30, 2017, at 5:18 AM, Tom Carly <tomcarly at gmail.com> wrote:
>
> I'm using a 3.1.x build of a few days ago.
If you need the 3.1 features, OK. Otherwise you should stick with v3.0.
> In previous versions (don't know
> exactly when it changed), the accounting log contained
> "Request-Authenticator = verified" for each received message. It seems that
> this was removed recently. When parsing the log, I check whether this field
> is present.
Why?
> My questions:
> * Is there still a way to include this in the log?
> * if not, why was it removed?
It was removed because it no longer makes sense.
It was originally added because Accounting-Request packets were allowed to have a request authenticator of all zeros. The "Request-Authenticator = verified" then meant that the Accounting-Request packet was properly signed.
But... the "request authenticator of all zeros" has been forbidden by FreeRADIUS for the better part of a decade. Therefore the "Request-Authenticator = verified" was ALWAYS set, and was useless.
Fix your script to not look for Request-Authenticator. Any logic you have based on that should be removed, and replaced with an "always true" setting for it.
Alan DeKok.
More information about the Freeradius-Users
mailing list