diff --git a/src/radius/radius.c b/src/radius/radius.c
index 37aa216..029e622 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -469,8 +469,10 @@
 			return -1;
 		msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
 		if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
-			     wpabuf_len(msg->buf), pos) < 0)
+			     wpabuf_len(msg->buf), pos) < 0) {
+			wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
 			return -1;
+		}
 	} else
 		msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
 
@@ -497,8 +499,10 @@
 	os_memcpy(msg->hdr->authenticator, req_authenticator,
 		  sizeof(msg->hdr->authenticator));
 	if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
-		     wpabuf_len(msg->buf), pos) < 0)
+		     wpabuf_len(msg->buf), pos) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
 		return -1;
+	}
 
 	/* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */
 	addr[0] = (u8 *) msg->hdr;
@@ -509,7 +513,10 @@
 	len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr);
 	addr[3] = secret;
 	len[3] = secret_len;
-	md5_vector(4, addr, len, msg->hdr->authenticator);
+	if (md5_vector(4, addr, len, msg->hdr->authenticator) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		return -1;
+	}
 
 	if (wpabuf_len(msg->buf) > 0xffff) {
 		wpa_printf(MSG_WARNING, "RADIUS: Too long message (%lu)",
@@ -535,16 +542,20 @@
 	msg->hdr->length = host_to_be16(wpabuf_len(msg->buf));
 	os_memcpy(msg->hdr->authenticator, req_hdr->authenticator, 16);
 	if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
-		     wpabuf_len(msg->buf), pos) < 0)
+		     wpabuf_len(msg->buf), pos) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
 		return -1;
+	}
 
 	/* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */
 	addr[0] = wpabuf_head_u8(msg->buf);
 	len[0] = wpabuf_len(msg->buf);
 	addr[1] = secret;
 	len[1] = secret_len;
-	if (md5_vector(2, addr, len, msg->hdr->authenticator) < 0)
+	if (md5_vector(2, addr, len, msg->hdr->authenticator) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
 		return -1;
+	}
 
 	if (wpabuf_len(msg->buf) > 0xffff) {
 		wpa_printf(MSG_WARNING, "RADIUS: Too long message (%lu)",
@@ -555,8 +566,8 @@
 }
 
 
-void radius_msg_finish_acct(struct radius_msg *msg, const u8 *secret,
-			    size_t secret_len)
+int radius_msg_finish_acct(struct radius_msg *msg, const u8 *secret,
+			   size_t secret_len)
 {
 	const u8 *addr[2];
 	size_t len[2];
@@ -567,17 +578,22 @@
 	len[0] = wpabuf_len(msg->buf);
 	addr[1] = secret;
 	len[1] = secret_len;
-	md5_vector(2, addr, len, msg->hdr->authenticator);
+	if (md5_vector(2, addr, len, msg->hdr->authenticator) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		return -1;
+	}
 
 	if (wpabuf_len(msg->buf) > 0xffff) {
 		wpa_printf(MSG_WARNING, "RADIUS: Too long messages (%lu)",
 			   (unsigned long) wpabuf_len(msg->buf));
+		return -1;
 	}
+	return 0;
 }
 
 
-void radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret,
-				 size_t secret_len, const u8 *req_authenticator)
+int radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret,
+				size_t secret_len, const u8 *req_authenticator)
 {
 	const u8 *addr[2];
 	size_t len[2];
@@ -588,12 +604,17 @@
 	len[0] = wpabuf_len(msg->buf);
 	addr[1] = secret;
 	len[1] = secret_len;
-	md5_vector(2, addr, len, msg->hdr->authenticator);
+	if (md5_vector(2, addr, len, msg->hdr->authenticator) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		return -1;
+	}
 
 	if (wpabuf_len(msg->buf) > 0xffff) {
 		wpa_printf(MSG_WARNING, "RADIUS: Too long messages (%lu)",
 			   (unsigned long) wpabuf_len(msg->buf));
+		return -1;
 	}
+	return 0;
 }
 
 
@@ -614,7 +635,10 @@
 	len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr);
 	addr[3] = secret;
 	len[3] = secret_len;
-	md5_vector(4, addr, len, hash);
+	if (md5_vector(4, addr, len, hash) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		return 1;
+	}
 	return os_memcmp_const(msg->hdr->authenticator, hash, MD5_MAC_LEN) != 0;
 }
 
@@ -642,7 +666,10 @@
 	len[2] = wpabuf_len(msg->buf) - sizeof(struct radius_hdr);
 	addr[3] = secret;
 	len[3] = secret_len;
-	md5_vector(4, addr, len, hash);
+	if (md5_vector(4, addr, len, hash) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		return 1;
+	}
 	if (os_memcmp_const(msg->hdr->authenticator, hash, MD5_MAC_LEN) != 0)
 		return 1;
 
@@ -674,8 +701,11 @@
 		  sizeof(orig_authenticator));
 	os_memset(msg->hdr->authenticator, 0,
 		  sizeof(msg->hdr->authenticator));
-	hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
-		 wpabuf_len(msg->buf), auth);
+	if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
+		     wpabuf_len(msg->buf), auth) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		return 1;
+	}
 	os_memcpy(attr + 1, orig, MD5_MAC_LEN);
 	os_memcpy(msg->hdr->authenticator, orig_authenticator,
 		  sizeof(orig_authenticator));
@@ -972,8 +1002,10 @@
 			  sizeof(msg->hdr->authenticator));
 	}
 	if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf),
-		     wpabuf_len(msg->buf), auth) < 0)
+		     wpabuf_len(msg->buf), auth) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
 		return 1;
+	}
 	os_memcpy(attr + 1, orig, MD5_MAC_LEN);
 	if (req_auth) {
 		os_memcpy(msg->hdr->authenticator, orig_authenticator,
@@ -1185,6 +1217,7 @@
 			elen[1] = MD5_MAC_LEN;
 		}
 		if (md5_vector(first ? 3 : 2, addr, elen, hash) < 0) {
+			wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
 			os_free(plain);
 			return NULL;
 		}
@@ -1213,10 +1246,10 @@
 }
 
 
-static void encrypt_ms_key(const u8 *key, size_t key_len, u16 salt,
-			   const u8 *req_authenticator,
-			   const u8 *secret, size_t secret_len,
-			   u8 *ebuf, size_t *elen)
+static int encrypt_ms_key(const u8 *key, size_t key_len, u16 salt,
+			  const u8 *req_authenticator,
+			  const u8 *secret, size_t secret_len,
+			  u8 *ebuf, size_t *elen)
 {
 	int i, len, first = 1;
 	u8 hash[MD5_MAC_LEN], saltbuf[2], *pos;
@@ -1250,7 +1283,10 @@
 			addr[1] = pos - MD5_MAC_LEN;
 			_len[1] = MD5_MAC_LEN;
 		}
-		md5_vector(first ? 3 : 2, addr, _len, hash);
+		if (md5_vector(first ? 3 : 2, addr, _len, hash) < 0) {
+			wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+			return -1;
+		}
 		first = 0;
 
 		for (i = 0; i < MD5_MAC_LEN; i++)
@@ -1258,6 +1294,8 @@
 
 		len -= MD5_MAC_LEN;
 	}
+
+	return 0;
 }
 
 
@@ -1375,8 +1413,9 @@
 	salt |= 0x8000;
 	WPA_PUT_BE16(pos, salt);
 	pos += 2;
-	encrypt_ms_key(send_key, send_key_len, salt, req_authenticator, secret,
-		       secret_len, pos, &elen);
+	if (encrypt_ms_key(send_key, send_key_len, salt, req_authenticator,
+			   secret, secret_len, pos, &elen) < 0)
+		return 0;
 	vhdr->vendor_length = hlen + elen - sizeof(vendor_id);
 
 	attr = radius_msg_add_attr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
@@ -1400,8 +1439,9 @@
 	salt ^= 1;
 	WPA_PUT_BE16(pos, salt);
 	pos += 2;
-	encrypt_ms_key(recv_key, recv_key_len, salt, req_authenticator, secret,
-		       secret_len, pos, &elen);
+	if (encrypt_ms_key(recv_key, recv_key_len, salt, req_authenticator,
+			   secret, secret_len, pos, &elen) < 0)
+		return 0;
 	vhdr->vendor_length = hlen + elen - sizeof(vendor_id);
 
 	attr = radius_msg_add_attr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
@@ -1492,7 +1532,10 @@
 	len[0] = secret_len;
 	addr[1] = msg->hdr->authenticator;
 	len[1] = 16;
-	md5_vector(2, addr, len, hash);
+	if (md5_vector(2, addr, len, hash) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		return -1;
+	}
 
 	for (i = 0; i < 16; i++)
 		buf[i] ^= hash[i];
@@ -1503,7 +1546,10 @@
 		len[0] = secret_len;
 		addr[1] = &buf[pos - 16];
 		len[1] = 16;
-		md5_vector(2, addr, len, hash);
+		if (md5_vector(2, addr, len, hash) < 0) {
+			wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+			return -1;
+		}
 
 		for (i = 0; i < 16; i++)
 			buf[pos + i] ^= hash[i];
@@ -1792,7 +1838,10 @@
 		len[0] = secret_len;
 		addr[1] = pos - 16;
 		len[1] = 16;
-		md5_vector(2, addr, len, hash);
+		if (md5_vector(2, addr, len, hash) < 0) {
+			wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+			goto out;
+		}
 
 		for (i = 0; i < 16; i++)
 			pos[i] ^= hash[i];
@@ -1809,7 +1858,10 @@
 	len[1] = 16;
 	addr[2] = salt;
 	len[2] = 2;
-	md5_vector(3, addr, len, hash);
+	if (md5_vector(3, addr, len, hash) < 0) {
+		wpa_printf(MSG_INFO, "RADIUS: MD5 not available");
+		goto out;
+	}
 
 	for (i = 0; i < 16; i++)
 		pos[i] ^= hash[i];
diff --git a/src/radius/radius.h b/src/radius/radius.h
index 05fddba..09d3591 100644
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@@ -221,7 +221,6 @@
 #define RADIUS_VENDOR_ID_WFA 40808
 
 enum {
-	RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION = 1,
 	RADIUS_VENDOR_ATTR_WFA_HS20_AP_VERSION = 2,
 	RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION = 3,
 	RADIUS_VENDOR_ATTR_WFA_HS20_DEAUTH_REQ = 4,
@@ -276,11 +275,10 @@
 int radius_msg_finish_das_resp(struct radius_msg *msg, const u8 *secret,
 			       size_t secret_len,
 			       const struct radius_hdr *req_hdr);
-void radius_msg_finish_acct(struct radius_msg *msg, const u8 *secret,
-			    size_t secret_len);
-void radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret,
-				 size_t secret_len,
-				 const u8 *req_authenticator);
+int radius_msg_finish_acct(struct radius_msg *msg, const u8 *secret,
+			   size_t secret_len);
+int radius_msg_finish_acct_resp(struct radius_msg *msg, const u8 *secret,
+				size_t secret_len, const u8 *req_authenticator);
 int radius_msg_verify_acct_req(struct radius_msg *msg, const u8 *secret,
 			       size_t secret_len);
 int radius_msg_verify_das_req(struct radius_msg *msg, const u8 *secret,
diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
index 2a7f361..705aaef 100644
--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
@@ -482,8 +482,11 @@
 		wpa_printf(MSG_DEBUG,
 			   "RADIUS: Updated Acct-Delay-Time to %u for retransmission",
 			   delay_time);
-		radius_msg_finish_acct(entry->msg, entry->shared_secret,
-				       entry->shared_secret_len);
+		if (radius_msg_finish_acct(entry->msg, entry->shared_secret,
+					   entry->shared_secret_len) < 0) {
+			wpa_printf(MSG_INFO, "Failed to build RADIUS message");
+			return -1;
+		}
 		if (radius->conf->msg_dumps)
 			radius_msg_dump(entry->msg);
 	}
@@ -878,7 +881,14 @@
 		}
 		shared_secret = conf->acct_server->shared_secret;
 		shared_secret_len = conf->acct_server->shared_secret_len;
-		radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
+		if (radius_msg_finish_acct(msg, shared_secret,
+					   shared_secret_len) < 0) {
+			hostapd_logger(radius->ctx, NULL,
+				       HOSTAPD_MODULE_RADIUS,
+				       HOSTAPD_LEVEL_INFO,
+				       "Failed to build RADIUS accounting message");
+			return -1;
+		}
 		name = "accounting";
 		s = radius->acct_sock;
 		conf->acct_server->requests++;
@@ -900,7 +910,14 @@
 		}
 		shared_secret = conf->auth_server->shared_secret;
 		shared_secret_len = conf->auth_server->shared_secret_len;
-		radius_msg_finish(msg, shared_secret, shared_secret_len);
+		if (radius_msg_finish(msg, shared_secret, shared_secret_len) <
+		    0) {
+			hostapd_logger(radius->ctx, NULL,
+				       HOSTAPD_MODULE_RADIUS,
+				       HOSTAPD_LEVEL_INFO,
+				       "Failed to build RADIUS authentication message");
+			return -1;
+		}
 		name = "authentication";
 		s = radius->auth_sock;
 		conf->auth_server->requests++;
@@ -1099,7 +1116,7 @@
 	struct radius_hdr *hdr;
 	struct radius_rx_handler *handlers;
 	size_t num_handlers, i;
-	struct radius_msg_list *req, *prev_req;
+	struct radius_msg_list *req, *prev_req, *r;
 	struct os_reltime now;
 	struct hostapd_radius_server *rconf;
 	int invalid_authenticator = 0;
@@ -1224,7 +1241,6 @@
 		break;
 	}
 
-	prev_req = NULL;
 	req = radius->msgs;
 	while (req) {
 		/* TODO: also match by src addr:port of the packet when using
@@ -1236,7 +1252,6 @@
 		    hdr->identifier)
 			break;
 
-		prev_req = req;
 		req = req->next;
 	}
 
@@ -1259,13 +1274,6 @@
 		       roundtrip / 100, roundtrip % 100);
 	rconf->round_trip_time = roundtrip;
 
-	/* Remove ACKed RADIUS packet from retransmit list */
-	if (prev_req)
-		prev_req->next = req->next;
-	else
-		radius->msgs = req->next;
-	radius->num_msgs--;
-
 	for (i = 0; i < num_handlers; i++) {
 		RadiusRxResult res;
 		res = handlers[i].handler(msg, req->msg, req->shared_secret,
@@ -1276,6 +1284,19 @@
 			radius_msg_free(msg);
 			/* fall through */
 		case RADIUS_RX_QUEUED:
+			/* Remove ACKed RADIUS packet from retransmit list */
+			prev_req = NULL;
+			for (r = radius->msgs; r; r = r->next) {
+				if (r == req)
+					break;
+				prev_req = r;
+			}
+			if (prev_req)
+				prev_req->next = req->next;
+			else
+				radius->msgs = req->next;
+			radius->num_msgs--;
+
 			radius_client_msg_free(req);
 			return;
 		case RADIUS_RX_INVALID_AUTHENTICATOR:
@@ -1297,7 +1318,6 @@
 		       msg_type, hdr->code, hdr->identifier,
 		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
 		       "");
-	radius_client_msg_free(req);
 
  fail:
 	radius_msg_free(msg);
@@ -1509,8 +1529,10 @@
 		if (entry->msg_type == RADIUS_ACCT) {
 			entry->shared_secret = shared_secret;
 			entry->shared_secret_len = shared_secret_len;
-			radius_msg_finish_acct(entry->msg, shared_secret,
-					       shared_secret_len);
+			if (radius_msg_finish_acct(entry->msg, shared_secret,
+						   shared_secret_len) < 0)
+				wpa_printf(MSG_INFO,
+					   "RADIUS: Failed to update accounting message");
 		}
 	}
 }
diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index fa36915..c9497c0 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -86,7 +86,6 @@
 	struct radius_msg *last_reply;
 	u8 last_authenticator[16];
 
-	unsigned int remediation:1;
 	unsigned int macacl:1;
 	unsigned int t_c_filtering:1;
 
@@ -147,7 +146,8 @@
 	/**
 	 * conf_ctx - Context pointer for callbacks
 	 *
-	 * This is used as the ctx argument in get_eap_user() calls.
+	 * This is used as the ctx argument in get_eap_user() and acct_req_cb()
+	 * calls.
 	 */
 	void *conf_ctx;
 
@@ -195,6 +195,27 @@
 			    int phase2, struct eap_user *user);
 
 	/**
+	 * acct_req_cb - Callback for processing received RADIUS accounting
+	 * requests
+	 * @ctx: Context data from conf_ctx
+	 * @msg: Received RADIUS accounting request
+	 * @status_type: Status type from the message (parsed Acct-Status-Type
+	 * attribute)
+	 * Returns: 0 on success, -1 on failure
+	 *
+	 * This can be used to log accounting information into file, database,
+	 * syslog server, etc.
+	 * Callback should not modify the message.
+	 * If 0 is returned, response is automatically created. Otherwise,
+	 * no response is created.
+	 *
+	 * acct_req_cb can be set to null to omit any custom processing of
+	 * account requests. Statistics counters will be incremented in any
+	 * case.
+	 */
+	int (*acct_req_cb)(void *ctx, struct radius_msg *msg, u32 status_type);
+
+	/**
 	 * eap_req_id_text - Optional data for EAP-Request/Identity
 	 *
 	 * This can be used to configure an optional, displayable message that
@@ -215,10 +236,6 @@
 	char *dump_msk_file;
 #endif /* CONFIG_RADIUS_TEST */
 
-	char *subscr_remediation_url;
-	u8 subscr_remediation_method;
-	char *hs20_sim_provisioning_url;
-
 	char *t_c_server_url;
 
 #ifdef CONFIG_SQLITE
@@ -243,44 +260,6 @@
 static void radius_server_session_remove_timeout(void *eloop_ctx,
 						 void *timeout_ctx);
 
-#ifdef CONFIG_SQLITE
-#ifdef CONFIG_HS20
-
-static int db_table_exists(sqlite3 *db, const char *name)
-{
-	char cmd[128];
-
-	os_snprintf(cmd, sizeof(cmd), "SELECT 1 FROM %s;", name);
-	return sqlite3_exec(db, cmd, NULL, NULL, NULL) == SQLITE_OK;
-}
-
-
-static int db_table_create_sim_provisioning(sqlite3 *db)
-{
-	char *err = NULL;
-	const char *sql =
-		"CREATE TABLE sim_provisioning("
-		" mobile_identifier_hash TEXT PRIMARY KEY,"
-		" imsi TEXT,"
-		" mac_addr TEXT,"
-		" eap_method TEXT,"
-		" timestamp TEXT"
-		");";
-
-	RADIUS_DEBUG("Adding database table for SIM provisioning information");
-	if (sqlite3_exec(db, sql, NULL, NULL, &err) != SQLITE_OK) {
-		RADIUS_ERROR("SQLite error: %s", err);
-		sqlite3_free(err);
-		return -1;
-	}
-
-	return 0;
-}
-
-#endif /* CONFIG_HS20 */
-#endif /* CONFIG_SQLITE */
-
-
 void srv_log(struct radius_session *sess, const char *fmt, ...)
 PRINTF_FORMAT(2, 3);
 
@@ -780,117 +759,6 @@
 }
 
 
-#ifdef CONFIG_HS20
-
-static int radius_server_is_sim_method(struct radius_session *sess)
-{
-	const char *name;
-
-	name = eap_get_method(sess->eap);
-	return name &&
-		(os_strcmp(name, "SIM") == 0 ||
-		 os_strcmp(name, "AKA") == 0 ||
-		 os_strcmp(name, "AKA'") == 0);
-}
-
-
-static int radius_server_hs20_missing_sim_pps(struct radius_msg *request)
-{
-	u8 *buf, *pos, *end, type, sublen;
-	size_t len;
-
-	buf = NULL;
-	for (;;) {
-		if (radius_msg_get_attr_ptr(request,
-					    RADIUS_ATTR_VENDOR_SPECIFIC,
-					    &buf, &len, buf) < 0)
-			return 0;
-		if (len < 6)
-			continue;
-		pos = buf;
-		end = buf + len;
-		if (WPA_GET_BE32(pos) != RADIUS_VENDOR_ID_WFA)
-			continue;
-		pos += 4;
-
-		type = *pos++;
-		sublen = *pos++;
-		if (sublen < 2)
-			continue; /* invalid length */
-		sublen -= 2; /* skip header */
-		if (pos + sublen > end)
-			continue; /* invalid WFA VSA */
-
-		if (type != RADIUS_VENDOR_ATTR_WFA_HS20_STA_VERSION)
-			continue;
-
-		RADIUS_DUMP("HS2.0 mobile device version", pos, sublen);
-		if (sublen < 1 + 2)
-			continue;
-		if (pos[0] == 0)
-			continue; /* Release 1 STA does not support provisioning
-
-				   */
-		/* UpdateIdentifier 0 indicates no PPS MO */
-		return WPA_GET_BE16(pos + 1) == 0;
-	}
-}
-
-
-#define HS20_MOBILE_ID_HASH_LEN 16
-
-static int radius_server_sim_provisioning_session(struct radius_session *sess,
-						  const u8 *hash)
-{
-#ifdef CONFIG_SQLITE
-	char *sql;
-	char addr_txt[ETH_ALEN * 3];
-	char hash_txt[2 * HS20_MOBILE_ID_HASH_LEN + 1];
-	struct os_time now;
-	int res;
-	const char *imsi, *eap_method;
-
-	if (!sess->server->db ||
-	    (!db_table_exists(sess->server->db, "sim_provisioning") &&
-	     db_table_create_sim_provisioning(sess->server->db) < 0))
-		return -1;
-
-	imsi = eap_get_imsi(sess->eap);
-	if (!imsi)
-		return -1;
-
-	eap_method = eap_get_method(sess->eap);
-	if (!eap_method)
-		return -1;
-
-	os_snprintf(addr_txt, sizeof(addr_txt), MACSTR,
-		    MAC2STR(sess->mac_addr));
-	wpa_snprintf_hex(hash_txt, sizeof(hash_txt), hash,
-			 HS20_MOBILE_ID_HASH_LEN);
-
-	os_get_time(&now);
-	sql = sqlite3_mprintf("INSERT INTO sim_provisioning(mobile_identifier_hash,imsi,mac_addr,eap_method,timestamp) VALUES (%Q,%Q,%Q,%Q,%u)",
-			      hash_txt, imsi, addr_txt, eap_method, now.sec);
-	if (!sql)
-		return -1;
-
-	if (sqlite3_exec(sess->server->db, sql, NULL, NULL, NULL) !=
-	    SQLITE_OK) {
-		RADIUS_ERROR("Failed to add SIM provisioning entry into sqlite database: %s",
-			     sqlite3_errmsg(sess->server->db));
-		res = -1;
-	} else {
-		res = 0;
-	}
-	sqlite3_free(sql);
-	return res;
-#endif /* CONFIG_SQLITE */
-	return -1;
-}
-
-#endif /* CONFIG_HS20 */
-
-
 static struct radius_msg *
 radius_server_encapsulate_eap(struct radius_server_data *data,
 			      struct radius_client *client,
@@ -992,74 +860,6 @@
 	}
 
 #ifdef CONFIG_HS20
-	if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation &&
-	    data->subscr_remediation_url) {
-		u8 *buf;
-		size_t url_len = os_strlen(data->subscr_remediation_url);
-		buf = os_malloc(1 + url_len);
-		if (buf == NULL) {
-			radius_msg_free(msg);
-			return NULL;
-		}
-		buf[0] = data->subscr_remediation_method;
-		os_memcpy(&buf[1], data->subscr_remediation_url, url_len);
-		if (!radius_msg_add_wfa(
-			    msg, RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION,
-			    buf, 1 + url_len)) {
-			RADIUS_DEBUG("Failed to add WFA-HS20-SubscrRem");
-		}
-		os_free(buf);
-	} else if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation) {
-		u8 buf[1];
-		if (!radius_msg_add_wfa(
-			    msg, RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION,
-			    buf, 0)) {
-			RADIUS_DEBUG("Failed to add WFA-HS20-SubscrRem");
-		}
-	} else if (code == RADIUS_CODE_ACCESS_ACCEPT &&
-		   data->hs20_sim_provisioning_url &&
-		   radius_server_is_sim_method(sess) &&
-		   radius_server_hs20_missing_sim_pps(request)) {
-		u8 *buf, *pos, hash[HS20_MOBILE_ID_HASH_LEN];
-		size_t prefix_len, url_len;
-
-		RADIUS_DEBUG("Device needs HS 2.0 SIM provisioning");
-
-		if (os_get_random(hash, HS20_MOBILE_ID_HASH_LEN) < 0) {
-			radius_msg_free(msg);
-			return NULL;
-		}
-		RADIUS_DUMP("hotspot2dot0-mobile-identifier-hash",
-			    hash, HS20_MOBILE_ID_HASH_LEN);
-
-		if (radius_server_sim_provisioning_session(sess, hash) < 0) {
-			radius_msg_free(msg);
-			return NULL;
-		}
-
-		prefix_len = os_strlen(data->hs20_sim_provisioning_url);
-		url_len = prefix_len + 2 * HS20_MOBILE_ID_HASH_LEN;
-		buf = os_malloc(1 + url_len + 1);
-		if (!buf) {
-			radius_msg_free(msg);
-			return NULL;
-		}
-		pos = buf;
-		*pos++ = data->subscr_remediation_method;
-		os_memcpy(pos, data->hs20_sim_provisioning_url, prefix_len);
-		pos += prefix_len;
-		wpa_snprintf_hex((char *) pos, 2 * HS20_MOBILE_ID_HASH_LEN + 1,
-				 hash, HS20_MOBILE_ID_HASH_LEN);
-		RADIUS_DEBUG("HS 2.0 subscription remediation URL: %s",
-			     (char *) &buf[1]);
-		if (!radius_msg_add_wfa(
-			    msg, RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION,
-			    buf, 1 + url_len)) {
-			RADIUS_DEBUG("Failed to add WFA-HS20-SubscrRem");
-		}
-		os_free(buf);
-	}
-
 	if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->t_c_filtering) {
 		u8 buf[4] = { 0x01, 0x00, 0x00, 0x00 }; /* E=1 */
 		const char *url = data->t_c_server_url, *pos;
@@ -1148,6 +948,8 @@
 				  client->shared_secret_len,
 				  hdr->authenticator) < 0) {
 		RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
+		radius_msg_free(msg);
+		return NULL;
 	}
 
 	if (code == RADIUS_CODE_ACCESS_ACCEPT)
@@ -1237,6 +1039,8 @@
 				  client->shared_secret_len,
 				  hdr->authenticator) < 0) {
 		RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
+		radius_msg_free(msg);
+		return NULL;
 	}
 
 	return msg;
@@ -1288,6 +1092,8 @@
 				  hdr->authenticator) <
 	    0) {
 		RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
+		radius_msg_free(msg);
+		return -1;
 	}
 
 	if (wpa_debug_level <= MSG_MSGDUMP) {
@@ -1815,6 +1621,7 @@
 	int from_port = 0;
 	struct radius_hdr *hdr;
 	struct wpabuf *rbuf;
+	u32 status_type;
 
 	buf = os_malloc(RADIUS_MAX_MSG_LEN);
 	if (buf == NULL) {
@@ -1896,7 +1703,20 @@
 		goto fail;
 	}
 
-	/* TODO: Write accounting information to a file or database */
+	/* Parse Acct-Status-Type from Accounting-Request */
+	if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_STATUS_TYPE,
+				      &status_type) != 0) {
+		RADIUS_DEBUG("Unable to parse Acct-Status-Type from %s", abuf);
+		goto fail;
+	}
+
+	/* Process accounting information by configured callback */
+	if (data->acct_req_cb &&
+	    data->acct_req_cb(data->conf_ctx, msg, status_type) != 0) {
+		RADIUS_DEBUG("Accounting request callback returned non-zero code indicating processing failure (from %s)",
+			     abuf);
+		goto fail;
+	}
 
 	hdr = radius_msg_get_hdr(msg);
 
@@ -1904,9 +1724,12 @@
 	if (resp == NULL)
 		goto fail;
 
-	radius_msg_finish_acct_resp(resp, (u8 *) client->shared_secret,
-				    client->shared_secret_len,
-				    hdr->authenticator);
+	if (radius_msg_finish_acct_resp(resp, (u8 *) client->shared_secret,
+					client->shared_secret_len,
+					hdr->authenticator) < 0) {
+		RADIUS_ERROR("Failed to add Message-Authenticator attribute");
+		goto fail;
+	}
 
 	RADIUS_DEBUG("Reply to %s:%d", abuf, from_port);
 	if (wpa_debug_level <= MSG_MSGDUMP) {
@@ -2221,6 +2044,7 @@
 	conf->eap_cfg->eap_server = 1;
 	data->ipv6 = conf->ipv6;
 	data->get_eap_user = conf->get_eap_user;
+	data->acct_req_cb = conf->acct_req_cb;
 	if (conf->eap_req_id_text) {
 		data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len);
 		if (!data->eap_req_id_text)
@@ -2231,20 +2055,6 @@
 	}
 	data->erp_domain = conf->erp_domain;
 
-	if (conf->subscr_remediation_url) {
-		data->subscr_remediation_url =
-			os_strdup(conf->subscr_remediation_url);
-		if (!data->subscr_remediation_url)
-			goto fail;
-	}
-	data->subscr_remediation_method = conf->subscr_remediation_method;
-	if (conf->hs20_sim_provisioning_url) {
-		data->hs20_sim_provisioning_url =
-			os_strdup(conf->hs20_sim_provisioning_url);
-		if (!data->hs20_sim_provisioning_url)
-			goto fail;
-	}
-
 	if (conf->t_c_server_url) {
 		data->t_c_server_url = os_strdup(conf->t_c_server_url);
 		if (!data->t_c_server_url)
@@ -2359,8 +2169,6 @@
 #ifdef CONFIG_RADIUS_TEST
 	os_free(data->dump_msk_file);
 #endif /* CONFIG_RADIUS_TEST */
-	os_free(data->subscr_remediation_url);
-	os_free(data->hs20_sim_provisioning_url);
 	os_free(data->t_c_server_url);
 
 #ifdef CONFIG_SQLITE
@@ -2528,7 +2336,6 @@
 				 phase2, user);
 	if (ret == 0 && user) {
 		sess->accept_attr = user->accept_attr;
-		sess->remediation = user->remediation;
 		sess->macacl = user->macacl;
 		sess->t_c_timestamp = user->t_c_timestamp;
 	}
@@ -2827,8 +2634,12 @@
 		return -1;
 	}
 
-	radius_msg_finish_acct(msg, (u8 *) client->shared_secret,
-			       client->shared_secret_len);
+	if (radius_msg_finish_acct(msg, (u8 *) client->shared_secret,
+				   client->shared_secret_len) < 0) {
+		RADIUS_ERROR("Failed to add Message-Authenticator attribute");
+		radius_msg_free(msg);
+		return -1;
+	}
 
 	if (wpa_debug_level <= MSG_MSGDUMP)
 		radius_msg_dump(msg);
diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h
index 43192e5..5440558 100644
--- a/src/radius/radius_server.h
+++ b/src/radius/radius_server.h
@@ -10,6 +10,7 @@
 #define RADIUS_SERVER_H
 
 struct radius_server_data;
+struct radius_msg;
 struct eap_user;
 
 /**
@@ -47,7 +48,8 @@
 	/**
 	 * conf_ctx - Context pointer for callbacks
 	 *
-	 * This is used as the ctx argument in get_eap_user() calls.
+	 * This is used as the ctx argument in get_eap_user() and acct_req_cb()
+	 * calls.
 	 */
 	void *conf_ctx;
 
@@ -76,6 +78,27 @@
 			    int phase2, struct eap_user *user);
 
 	/**
+	 * acct_req_cb - Callback for processing received RADIUS accounting
+	 * requests
+	 * @ctx: Context data from conf_ctx
+	 * @msg: Received RADIUS accounting request
+	 * @status_type: Status type from the message (parsed Acct-Status-Type
+	 * attribute)
+	 * Returns: 0 on success, -1 on failure
+	 *
+	 * This can be used to log accounting information into file, database,
+	 * syslog server, etc.
+	 * Callback should not modify the message.
+	 * If 0 is returned, response is automatically created. Otherwise,
+	 * no response is created.
+	 *
+	 * acct_req_cb can be set to NULL to omit any custom processing of
+	 * accounting requests. Statistics counters will be incremented in any
+	 * case.
+	 */
+	int (*acct_req_cb)(void *ctx, struct radius_msg *msg, u32 status_type);
+
+	/**
 	 * eap_req_id_text - Optional data for EAP-Request/Identity
 	 *
 	 * This can be used to configure an optional, displayable message that
@@ -96,10 +119,6 @@
 	const char *dump_msk_file;
 #endif /* CONFIG_RADIUS_TEST */
 
-	char *subscr_remediation_url;
-	u8 subscr_remediation_method;
-	char *hs20_sim_provisioning_url;
-
 	char *t_c_server_url;
 
 	struct eap_config *eap_cfg;