Authenticator
The authenticator region, often 16-octets long, is the field in which the integrity of the packet’s payload is inspected and verified. In this field, the most important octet—the value used to authenticate replies from the accounting server—is transmitted before any other.
There are two distinct types of authenticators: the request and response authenticators. Request authenticators, consisting of 16-octet MD5 checksums, are computed using a hash generated from the code, identifier, length, attributes, shared secrets, and 16 “zeroed-out” octets. The value returned from this hash is then placed into the authenticator field.
Tip
It’s important to notice the distinction between how
the request authenticator is computed in the accounting phase and the
authentication/authorization phase. The difference lies squarely in
the fact that in accounting packets, the
User-Password attribute is not included.
The response authenticator is calculated in much the same way as the request authenticator. An MD5 hash is generated using the values from the code, identifier, length, request authenticator from the original request, and response attributes; the value from this hash is placed in the authenticator field.
It also is important to point out that some early RADIUS and NAS implementations send some accounting packets with the authenticator region set to all zeroes. While the RFCs have been modified to specifically forbid this behavior, for backward compatibility purposes some RADIUS ...