Request Authenticator value made available to a Perl module

Brandon Miller webasdf at
Thu Nov 16 22:14:37 UTC 2023

Hello Alan,

Thanks again for your previous responses.  I have attempted to set the
encrypt=1 attribute in the vendor dictionary, but it is only
decrypting the first 128 bytes of the message.  The message I am
attempting to decrypt is larger than 128 bytes.  After reading the
RFC2865 section 5.2, I see that password decryption is limited to 128
bytes.  Unfortunately, our vendor will not change how they are doing
things, so I'm rather stuck.  I have all the relevant code written in
my Perl module to decrypt values larger than 128 bytes, but I simply
don't have access to the RADIUS authenticator (random nonce value)
outside of the RAD_REQUEST hash.  Are there any configuration options
available to change the maximum decryption length to greater than 128
bytes or any way for me to retrieve the RADIUS authenticator inside my
Perl script?  I suppose worst case scenario would be to downgrade to
an older version where I can retrieve the %V expansion parameter
mentioned earlier.  I'd hate to do that though.

Thanks for any help,

On Wed, Nov 15, 2023 at 6:12 AM Alan DeKok <aland at> wrote:
> On Nov 15, 2023, at 12:58 AM, Brandon Miller <webasdf at> wrote:
> > Thanks for the reply. I am in need of the request authenticator because of
> > the way a VSA is coming across. When you said that FreeRADIUS should
> > decrypt any encrypted attributes, it got me thinking. I remembered that our
> > vendor said they use rfc2865 to encrypt this attribute. I am about to go to
> > bed for the night and just connected the dots.  I checked the dictionary
> > file and I do not see the encrypt=1 clause in there for this attribute.
> > I'll give that a try tomorrow.
>   Exactly.
>   Please also send over updates to any dictionaries, so that other people don't run into the same problem.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list