[RADIATOR] Authenticator check et calculation

Laurent Duru laurent.duru at lugos.fr
Fri Mar 8 16:00:21 UTC 2019

Hi All,

We faced an issue with wrong authenticator on answers sent by Radiator.
In our design, client source IP is NATed, here is an example of radius.cfg client configuration for discussion :

        Secret azerty
        Identifier CLIENT

<Client DEFAULT>
        Secret qwerty
        Identifier Default


When receiving Access Request with authenticator from NAT_CLIENT_IP, our radiator accepts the request and send an access-accept. That means the authenticator check is OK and that the usage of the secret “azerty is OK. I think radiator is checking client on NAS-IP-ADDRESS and not IP header address.

When creating authenticator for the answer which IP is used ? and then is it “azerty” or “qwerty” that is used as secret ?
To have a working config we had to add :
        Secret azerty
        Identifier CLIENT

Seems to mean radiator is using IP header address to calculate the answer and not NAS-IP-ADDRESS.

Does anybody faced the same and can confirm ?

Have a nice week-end,


Laurent DURU
Lugos, Expertise Réseaux, Métrologie & Sécurité
M: +33 6 28 09 88 94
laurent.duru at lugos.fr<mailto:laurent.duru at lugos.fr>
Adoptez l’éco-attitude.  N’imprimez ce mail que si c’est vraiment nécessaire.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20190308/f34d8d4a/attachment.html>

More information about the radiator mailing list