pyrad and Cisco Invalid Authenticator

Posted on in Programming

cover image for article

I've been working on a RADIUS client in Python that can send a disconnect message (packet of disconnect) to a Cisco router. I'm using pyrad 1.2 for the project.

I ran into this problem pretty quickly:

POD: request queued
POD: Illegal authenticator in POD from
POD: Added Reply Message: Invalid Authenticator
POD: Added NACK Error Cause: Invalid Request
POD: Sending NAK from port 3799 to

The above is output derived using the IOS debug aaa pod command.

At first blush, it looks like a shared secret (password) mismatch. But after retyping the password several times on the router and in the code, I realized that wasn't the case.

I stumbled across this seven year old (RADIATOR) Packet of Disconnect thread that solved it for me.

The problem is that I was using pyrad's Client.CreateAuthPacket() method to create the packet. What I didn't realize is that authentication and accounting packets use different methods to calculate the authenticator. Packets of disconnect use the same method as accounting packets. As soon as I started using Client.CreateAcctPacket(), everything started working.

My Bookshelf

Reading Now

Other Stuff