If you define IgnoreAcctSignature
, it
prevents the server from checking the Authenticator field in requests
received from this client. Contrary to its name, it applies to all message
types and also prevents checking the
Message-Authenticator
attribute. This parameter is
useful because some clients do not send Authenticators that conform to
RADIUS RFCs.
By default, the server logs and ignores messages that
do not have a correct Authenticator, or any messages that do not have a
correct Message-Authenticator
attribute. Regardless
of the setting of this parameter, the server always sends a correctly
computed Authenticator and Message-Authenticator
attribute.
CAUTION
This parameter is seldom required with
current RADIUS implementations. You should first check that the shared
secret between Radiator and client is correct before enabling this
parameter.
If you get bad authenticator log messages and the
accounting requests are not being stored even though authentication as
such does not fail, and you have checked that the shared secrets are
correct, try enabling IgnoreAccSignature
. The bad
authenticator log message looks this:
Bad authenticator in request from <client name> (<nas identifier>)
If
you get bad EAP Message-Authenticator log messages and you have checked
that the shared secrets are correct, it is possible that the NAS is
sending an incorrect implementation of Message-Authenticator. Try enabling
IgnoreAccSignature
. The bad EAP Message-Authenticator
log message looks this:
Bad EAP Message-Authenticator
Tip
Some NASs have separate secrets for authentication and
accounting requests.
# brian.open.com.au has a broken legacy NAS
<Client 10.20.30.40>
Identifier brian.open.com.au
Secret 666obaFGkmRNs666
IgnoreAcctSignature
</Client>