Request Authenticator value made available to a Perl module

Brandon Miller webasdf at
Wed Nov 15 05:58:52 UTC 2023

Hi Alan,

Thanks for the reply. I am in need of the request authenticator because of
the way a VSA is coming across. When you said that FreeRADIUS should
decrypt any encrypted attributes, it got me thinking. I remembered that our
vendor said they use rfc2865 to encrypt this attribute. I am about to go to
bed for the night and just connected the dots.  I checked the dictionary
file and I do not see the encrypt=1 clause in there for this attribute.
I'll give that a try tomorrow.

Upgrading FreeRADIUS is also in order.


On Tue, Nov 14, 2023, 6:34 PM Alan DeKok <aland at> wrote:

> On Nov 14, 2023, at 6:14 PM, Brandon Miller <webasdf at> wrote:
> > I am working on a Perl module that requires access to the Request
> > Authenticator value for each Access-Request.
>   Why?
>   The Request Authenticator is only used to sign packets.  It has zero
> value once the packet is received.
> > I combed through the docs and found the Request-Authenticator Runtime
> > variable (  I
> > tried to dynamically assign this variable (%V) to a Radius-Request
> > variable in my site definition file, but the server won't start with
> > error:
>   I think %V was removed a long time ago.
> > /etc/raddb/sites-enabled/myPerlSite[17]: Failed parsing expanded string:
> > /etc/raddb/sites-enabled/myPerlSite[17]: %V
> > /etc/raddb/sites-enabled/myPerlSite[17]:  ^ Invalid variable expansion
> >
> > It seems this variable has been deprecated in v3.  Is there any way to
> > get at this variable in another way?   I am running v3.0.13.
>   You don't need access to the Request Authenticator.  If you think you
> do, then something very weird is going on,
>   i.e. the only reason to look at the Request Authenticator is for (a)
> packet validation, and (b) attribute decryption.  For (a), the server core
> takes are of that.  Don't do it in Perl.
>   For (b), update the dictionaries, and the server will automatically
> decrypt attributes.
>   If you need something else, then explain what you need, and why you need
> it.  Just saying "I need access to the Request Authenticator" doesn't
> help.  There are very very few reasons why that's necessary.
>   And 3.0.13 is very old.  You should use a more recent version of the
> server.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list