Request Authenticator value made available to a Perl module
Brandon Miller
webasdf at gmail.com
Wed Nov 15 05:58:52 UTC 2023
Hi Alan,
Thanks for the reply. I am in need of the request authenticator because of
the way a VSA is coming across. When you said that FreeRADIUS should
decrypt any encrypted attributes, it got me thinking. I remembered that our
vendor said they use rfc2865 to encrypt this attribute. I am about to go to
bed for the night and just connected the dots. I checked the dictionary
file and I do not see the encrypt=1 clause in there for this attribute.
I'll give that a try tomorrow.
Upgrading FreeRADIUS is also in order.
Thanks!
Brandon
On Tue, Nov 14, 2023, 6:34 PM Alan DeKok <aland at deployingradius.com> wrote:
> On Nov 14, 2023, at 6:14 PM, Brandon Miller <webasdf at gmail.com> wrote:
> > I am working on a Perl module that requires access to the Request
> > Authenticator value for each Access-Request.
>
> Why?
>
> The Request Authenticator is only used to sign packets. It has zero
> value once the packet is received.
>
> > I combed through the docs and found the Request-Authenticator Runtime
> > variable (https://wiki.freeradius.org/config/run_time_variables). I
> > tried to dynamically assign this variable (%V) to a Radius-Request
> > variable in my site definition file, but the server won't start with
> > error:
>
> I think %V was removed a long time ago.
>
> > /etc/raddb/sites-enabled/myPerlSite[17]: Failed parsing expanded string:
> > /etc/raddb/sites-enabled/myPerlSite[17]: %V
> > /etc/raddb/sites-enabled/myPerlSite[17]: ^ Invalid variable expansion
> >
> > It seems this variable has been deprecated in v3. Is there any way to
> > get at this variable in another way? I am running v3.0.13.
>
> You don't need access to the Request Authenticator. If you think you
> do, then something very weird is going on,
>
> i.e. the only reason to look at the Request Authenticator is for (a)
> packet validation, and (b) attribute decryption. For (a), the server core
> takes are of that. Don't do it in Perl.
>
> For (b), update the dictionaries, and the server will automatically
> decrypt attributes.
>
> If you need something else, then explain what you need, and why you need
> it. Just saying "I need access to the Request Authenticator" doesn't
> help. There are very very few reasons why that's necessary.
>
> And 3.0.13 is very old. You should use a more recent version of the
> server.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list