Re: logs: invalid Message-Authenticator! (Shared secret is incorrect.)

[YvesDM <ydmlog@gmail.com>]

On 10/13/06, Paul Lambert <paul.lambert@gmail.com> wrote:

Hi,

Have you checked your authentication protocol on the shared secret? Are you sending with CHAP when freeradius is not expecting it or vice versa?

Have you tried testing with a radius test client - this should allow you determine if the problem is in the Client or the Server config... or just a misconfiguration between the two!

Kind regards,
Paul.

On 10/13/06, K. Hoercher < wbhoer@gmail.com> wrote:

Hi,

On 10/13/06, YvesDM <ydmlog@gmail.com> wrote:
> Looks pretty obvious, though, I'm sure the shared secret is correct in my
> clients.conf and in the chillispot configuration.
> Any hints?

Well, as you said yourself, it looks pretty obvious. But as it would
be extremely unlikely for both statements to be true, I'd suggest (in
no particular order):

Check clients.conf for eventual more specific entries overriding those
for subnets. Does some sql reading of nas's set another secret? Do the
alleged "correct" config files get actually used by freeradius (been
there, done that *g*).

Something to those effects regarding chilli.conf.

Some of that might have been ruled out/in already, had you provided
the full debug output and pertinent snippets from your config.

Sniff the radius traffic, and check validity manually. See src/lib/hmac.c

hth
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Tnx for the answers. 
Meanwhile I've upgraded chillispot to the newest version, changed the
shared secrets into something else and reloaded the radius
configuration and the problem was gone.

Y.