Request Authenticator value made available to a Perl module
Alan DeKok
aland at deployingradius.com
Wed Nov 15 00:34:09 UTC 2023
On Nov 14, 2023, at 6:14 PM, Brandon Miller <webasdf at gmail.com> wrote:
> I am working on a Perl module that requires access to the Request
> Authenticator value for each Access-Request.
Why?
The Request Authenticator is only used to sign packets. It has zero value once the packet is received.
> I combed through the docs and found the Request-Authenticator Runtime
> variable (https://wiki.freeradius.org/config/run_time_variables). I
> tried to dynamically assign this variable (%V) to a Radius-Request
> variable in my site definition file, but the server won't start with
> error:
I think %V was removed a long time ago.
> /etc/raddb/sites-enabled/myPerlSite[17]: Failed parsing expanded string:
> /etc/raddb/sites-enabled/myPerlSite[17]: %V
> /etc/raddb/sites-enabled/myPerlSite[17]: ^ Invalid variable expansion
>
> It seems this variable has been deprecated in v3. Is there any way to
> get at this variable in another way? I am running v3.0.13.
You don't need access to the Request Authenticator. If you think you do, then something very weird is going on,
i.e. the only reason to look at the Request Authenticator is for (a) packet validation, and (b) attribute decryption. For (a), the server core takes are of that. Don't do it in Perl.
For (b), update the dictionaries, and the server will automatically decrypt attributes.
If you need something else, then explain what you need, and why you need it. Just saying "I need access to the Request Authenticator" doesn't help. There are very very few reasons why that's necessary.
And 3.0.13 is very old. You should use a more recent version of the server.
Alan DeKok.
More information about the Freeradius-Users
mailing list