Accept in Accounting Section

Kushal Gupta kushalgupta.me at gmail.com
Sat Dec 27 14:28:26 UTC 2025


Its for mitigating Blast Radius
Read Here: https://www.blastradius.fail/attack-details

On Sat, Dec 27, 2025 at 4:41 PM Erdal Emlik via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> Hi,
>
>
>
> I have a FreeRADIUS backend–proxy setup which I was previously running on
> FreeRADIUS 3.2.1 without any issues.
>
>
>
> After upgrading the backend-proxy to FreeRADIUS 3.2.8, I noticed a change
> in behavior:
>
> for users with static IP addresses, a Message-Authenticator attribute
> suddenly appears in Accounting-Response packets.
>
>
>
> This only happens for sessions where the IP address is not present in
> radippool (i.e. static IP users).
>
> Dynamic IP (CGNAT) users do not show this behavior.
>
>
>
> My configuration has always been the same, and the default behavior did
> not change on my side.
>
>
>
> Below is the debug output from the proxy side showing where the
> Message-Authenticator is added to the Accounting-Response:
>
>
>
> 56)   Proxy-State = 0x323533
>
> (56) Clearing existing &reply: attributes
>
> (56) Received Access-Accept Id 3 from 10.2.134.250:1813 to
> 172.18.0.2:50949 length 43
>
> (56)   Message-Authenticator = 0xcb7e447acd6eb189578d5ec25a844b36
>
> (56)   Proxy-State = 0x323533
>
> (56) server default {
>
> (56) }
>
> (56) Sent Accounting-Response Id 253 from 172.18.0.2:1813 to
> 193.192.126.156:1646 length 38
>
> (56)   Message-Authenticator = 0xcb7e447acd6eb189578d5ec25a844b36
>
> (56) Finished request
>
> (56) Cleaning up request packet ID 253 with timestamp +5 due to done
>
>
>
> Below is the relevant part of my accounting configuration.
>
> This has been in place for a long time, and I am not sure why accept was
> originally used here:
>
>
>
> ippoolv4 {
>
>     fail = 1
>
>     noop = 2
>
>     notfound = 3
>
> }
>
>
>
> if (fail) {
>
>     accept
>
> }
>
> if (noop) {
>
>     accept
>
> }
>
> if (notfound) {
>
>     accept
>
> }
>
>
>
> I could not find clear documentation explaining what accept actually does
> in the accounting section, and how it affects the generated response.
>
>
>
> My questions are:
>
> Does using accept here cause FreeRADIUS to internally treat this as an
> Access-Accept, even though this is an Accounting-Request?
>
> Could this be the reason why an Access-Accept is received from the backend
> on the accounting port, and why a Message-Authenticator is added to the
> Accounting-Response?
>
> Has the behavior of accept in accounting changed between 3.2.1 and 3.2.8?
>
>
>
> Any clarification on the semantics of accept in accounting, or pointers to
> relevant documentation or changelogs, would be greatly appreciated.
>
>
>
> Thanks in advance.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list