[erlang-questions] RADIUS decode/encode

Kirill Ratkin <>
Fri Oct 9 15:29:15 CEST 2015

Hi guys,

Who played with RADIUS?

I'm trying to make test aplication which decode request and encode response

Here is code:

handle_info({udp, Socket, IP, Port, Packet}, State) ->
    io:format("Packet is ~p~n", [hexlify(Packet)]),

    <<Code:8, Identifier:8, Length:16, Authenticator:128,
Attributes/binary>> = Packet,

    io:format("Packet is ~p,~p,~p,~p,~p~n", [

    <<Len:8, Type:8, Body/binary>> = Attributes,

    io:format("AVP: ~p, ~p, ~p~n", [Len, Type, Body]),

    AVPCode         = 18,
    AVPMessage      = <<"You dick">>,
    AVPSize         = byte_size(AVPMessage) + 2,
    AVPResponse     = <<AVPCode:8, AVPSize:8, AVPMessage/binary>>,
    RCode           = 2,    % calculated base on logic, accept is now for
    RLength         = byte_size(AVPResponse) + 20,
    Secret          = <<"secret">>,
    RAuthenticator  = erlang:md5(<<Code:8, Identifier:8, Length:16,
Authenticator:128, AVPResponse/binary, Secret/binary>>),
    Response        = <<RCode, Identifier, RLength:16,
RAuthenticator/binary, AVPResponse/binary>>,

    gen_udp:send(Socket, IP, Port, Response),

    inet:setopts(Socket, [{active, once}]),
    {noreply, State};

It works but ... 'radclient' says Response Authenticator is not correctly

This is its output:

$ echo "User-Name = test" | radclient -x localhost:1812 auth secret
Sending Access-Request Id 68 from to
    User-Name = 'test'
Received Access-Accept Id 68 from to length
(0) Reply verification failed: Received Access-Accept packet from home
server port 1812 with invalid Response Authenticator!  (Shared
secret is incorrect.)

RFC says:

      Response Authenticator

         The value of the Authenticator field in Access-Accept, Access-
         Reject, and Access-Challenge packets is called the Response
         Authenticator, and contains a one-way MD5 hash calculated over
         a stream of octets consisting of: the RADIUS packet, beginning
         with the Code field, including the Identifier, the Length, the
         Request Authenticator field from the Access-Request packet, and
         the response Attributes, followed by the shared secret.  That
         is, ResponseAuth =
         MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where +
         denotes concatenation.

It seems I do how RFC recommends but ...
I don't see mistake :(.

Please help if you see my fault.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20151009/a2d4bd6d/attachment.html>

More information about the erlang-questions mailing list