problem with radclient
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Oct 17 11:31:45 CEST 2012
>
>
> rad_recv: Disconnect-ACK packet from host 1.1.1.1 port 3799, id=110, length=43
> rad_verify: Received Disconnect-ACK packet from home server 1.1.1.1 port 3799 with invalid signature! (Shared secret is incorrect.)
> radclient: no response from server for ID 110 socket 3
>
> user is disconnected properly but radclient does not recognize that response ( I've used just -r 1 in this case, when using -r 3 i see additional packets sent but they of course get a Disconnect-NAK)
No. It does recognise the response, it says pretty explicitly it recognised the response, it's saying that the value of the Message-Authenticator is incorrect.
>
> i traced the communication and only one packet send and one is received.
>
> Looks like the problem is in the logic of rad_verify function when using Packet-Src-IP-Address.
Have you actually verified the Message-Authenticator returned in the Disconnect-Ack is correct?
When a Message-Authenticator Attribute is included within a CoA-
ACK, CoA-NAK, Disconnect-ACK, or Disconnect-NAK, it is calculated
as follows:
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes)
When the HMAC-MD5 message integrity check is calculated, the
Message-Authenticator Attribute MUST be considered to be sixteen
octets of zero. The Request Authenticator is taken from the
corresponding CoA/Disconnect-Request. The Message-Authenticator
is calculated and inserted in the packet before the Response
Authenticator is calculated.
-Arran
More information about the Freeradius-Devel
mailing list