3.14.41. IgnoreAcctSignature Previous topic Parent topic Child topic Next topic

If you define IgnoreAcctSignature, it prevents the server from checking the authenticator Authenticator field in requests received from this client. Contrary to its name, it applies to all message types and also prevents checking the Message-Authenticator attribute. This parameter is useful because some clients do not send Authenticators that conform to RADIUS RFCs.
By default, the server logs and ignores messages that do not have a correct Authenticator, or any messages that do not have a correct Message-Authenticator attribute. Regardless of the setting of this parameter, the server always sends a correctly computed Authenticator and Message-Authenticator attribute.
CAUTION
This parameter is seldom required with current RADIUS implementations. You should first check that the shared secret between Radiator and client is correct before enabling this paramter.
If you get bad authenticator log messages and the accounting requests are not being stored even though authentication as such does not fail, and you have checked that the shared secrets are correct, try enabling IgnoreAccSignature. The bad authenticator log message looks this:
Bad authenticator in request from <client name> (<nas identifier>)
If you get bad EAP Message-Authenticator log messages and you have checked that the shared secrets are correct, it is possible that the NAS is sending an incorrect implementation of Message-Authenticator. Try enabling IgnoreAccSignature. The bad EAP Message-Authenticator log message looks this:
Bad EAP Message-Authenticator
Tip
Some NASs have separate secrets for authentication and accounting requests.
# brian.open.com.au has a broken legacy NAS
<Client 10.20.30.40>
      Identifier brian.open.com.au
      Secret 666obaFGkmRNs666
      IgnoreAcctSignature
</Client>