If you define IgnoreAcctSignature, it
prevents the server from checking the authenticator Authenticator field in
requests received from this client. Contrary to its name, it applies to
all message types and also prevents checking the
Message-Authenticator attribute. This parameter is
useful because some clients do not send Authenticators that conform to
RADIUS RFCs.
By default, the server logs and ignores messages that
do not have a correct Authenticator, or any messages that do not have a
correct Message-Authenticator attribute. Regardless
of the setting of this parameter, the server always sends a correctly
computed Authenticator and Message-Authenticator
attribute.
CAUTION
This parameter is seldom required
with current RADIUS implementations. You should first check that the
shared secret between Radiator and client is correct before enabling this
paramter.
If you get bad authenticator log messages and the
accounting requests are not being stored even though authentication as
such does not fail, and you have checked that the shared secrets are
correct, try enabling IgnoreAccSignature. The bad
authenticator log message looks this:
Bad authenticator in request from <client name> (<nas identifier>)
If you get bad EAP Message-Authenticator log messages and you have
checked that the shared secrets are correct, it is possible that the NAS
is sending an incorrect implementation of Message-Authenticator. Try
enabling IgnoreAccSignature. The bad EAP
Message-Authenticator log message looks this:
Bad EAP Message-Authenticator
Tip
Some NASs have separate secrets for authentication and
accounting requests.
# brian.open.com.au has a broken legacy NAS
<Client 10.20.30.40>
Identifier brian.open.com.au
Secret 666obaFGkmRNs666
IgnoreAcctSignature
</Client>
