Request Authenticator value made available to a Perl module

Alan DeKok aland at
Thu Nov 16 22:30:28 UTC 2023

On Nov 16, 2023, at 5:14 PM, Brandon Miller <webasdf at> wrote:
> Thanks again for your previous responses.  I have attempted to set the
> encrypt=1 attribute in the vendor dictionary, but it is only
> decrypting the first 128 bytes of the message.  The message I am
> attempting to decrypt is larger than 128 bytes.  After reading the
> RFC2865 section 5.2, I see that password decryption is limited to 128
> bytes.  Unfortunately, our vendor will not change how they are doing
> things, so I'm rather stuck.

  You should say which vendor it is.

  I've had a number of run-ins with vendors over the years.  It's always nice to be able to point out that I've written many of the RADIUS RFCs.  And that if I say they're behavior is wrong, then it's likely wrong.

  The problem is that vendors tend to grab engineers at random, and say "go do some RADIUS work".  They don't really understand the RFCs.  They don't understand how people use RADIUS in the real world.  They just write some garbage code, ship it, and then wonder why people are upset.

  Even worse, most vendors tend to argue that their team are complete geniuses, and they can't possibly get anything wrong.  They tend to get embarrassed when I point out I've been doing this since their engineers were in kindergarten.

>  I have all the relevant code written in
> my Perl module to decrypt values larger than 128 bytes, but I simply
> don't have access to the RADIUS authenticator (random nonce value)
> outside of the RAD_REQUEST hash.  Are there any configuration options
> available to change the maximum decryption length to greater than 128
> bytes or any way for me to retrieve the RADIUS authenticator inside my
> Perl script?  I suppose worst case scenario would be to downgrade to
> an older version where I can retrieve the %V expansion parameter
> mentioned earlier.  I'd hate to do that though.

  If you're going to modify the source code to add %V, then just change the source code so that MAX_PASS_LEN is 192 instead of 128.

  And send over the vendor dictionaries so that we can include them in the next version of the server.  There's no secret information in them, and you didn't sign an NDA to look at them.

  Alan DeKok.

More information about the Freeradius-Users mailing list