How to decode radius packet without secret?

[chrisdew]

Wireshark can decode the fields of a radius packet without a secret.

This makes me think that the secret is not needed for decoding. Why does the node-radius API require it?

I have a server with multiple secrets, and need to know the value of an attribute inside of the radius packet, in order to choose which secret to use.

How can I achieve this?

[muirmanders]

The secret is needed to decrypt the User-Password if present, and to verify the authenticator and/or Message-Authenticator . If the packet can be decoded but the authenticator does not match, the library throws a radius.InvalidSecretError exception with the decoded packet set as the exception's "decoded" attribute.

var decoded;
try {
  decoded = radius.decode({packet: msg, secret: ''});
} catch (e) {
  if (e instanceof radius.InvalidSecretError) {
    decoded = e.decoded;
  } else {
    // handle other decoding error
  }
}

[chrisdew]

Thanks for your quick answer.

Would you be interested in a pull request so that decode doesn't raise an InvalidSecretError if secret is explicitly set as null.

If it's not going to make it into the mainline code, I'll just use the code you wrote above.

[muirmanders]

I would prefer adding a separate method to make it clear it is unsafe since it wouldn't force the user of the library to handle un-authenticatable messages. Also, passing in a null secret could very well be the result of an application error when using the library, in which case the accept-all-packets behavior might be unexpected.

[chrisdew]

Code was written and merged in 36248dc and 475bba0