a problem about radius and digest

Peter Nixon listuser at peternixon.net
Mon Jan 29 19:44:08 CET 2007 

On Mon 29 Jan 2007 17:22, Alan DeKok wrote:
> tzieleniewski wrote:
> > I am using radius to authenticate request from the radiusclient-ng2 with
> > the digest method. I have a strange situation because client log the
> > following problem: "received invalid reply digest from RADIUS server"
> > This is strange because as I read on web this error is due to wrong
> > secrets configuration.
>
>   Yes.  The shared secrets are wrong, or there is some miscalculation of
> the reply digest.
>
> > I checked a few times and secrets are the same I even tried to reinstall
> > both freeradius and libradiusclient-ng2. Please help me and point what
> > could be a reason for this??
>
>   Which OS are you running on?  Is it 64-bit?  What CPU?
>
>   The libradiusclient code MAY be doing MD5 incorrectly.
>
> > here is my radius debug (maybe will help):
> > rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198,
> > length=300 User-Name = "hellboy at voip.touk.pl"
> >         Digest-Attributes = 0x0a0968656c6c626f79
> >         Digest-Attributes = 0x010e766f69702e746f756b2e706c
> >         Digest-Attributes =
> > 0x022a343562646565313636643534373338383937363231623565643437303833313236
> >61316461636633 Digest-Attributes =
> > 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes =
> > 0x0308494e56495445
> >         Digest-Attributes = 0x050661757468
> >         Digest-Attributes = 0x090a3030303030303031
> >         Digest-Attributes =
> > 0x08223639464435383136374435424646364631304633363746453943433138333339
> > Digest-Response = "2c8b62ee23ac6cbe4a551b8b698a509c"
> >         Service-Type = 0x0000000f00000000
>
>   That looks like a bug in libradiusclient.  The Service-Type attribute
> should be 4 bytes of data, not 8.
>
> >         SER-Service-Type = 0x0000000300000000
> >         SER-Uri-User = "hellboy"
> >         NAS-Port = 0x000013c400000000
> >         NAS-IP-Address = 0x7f00000100000000
>
>   Again, the NAS-Port & NAS-IP-Address attributes should be 4 bytes of
> data, not 8.
>
>   This makes me suspect you're running on a 64-bit system, and that the
> libradiusclient code isn't 64-bit clean.

Yes. I _think_ that this is the bug that chris fixed in freeradius-client 2 
days ago.

Try using a current snapshot of freeradius-client instead of radiusclient-ng 
and see if the problem is solved. Here is a link:
ftp://ftp.suntel.com.tr/pub/freeradius/snapshots/freeradius-client-snapshot-20070129.tar.bz2

A patch I wrote to make OpenSER use freeradius-client instead of 
radiusclient-ng is at:
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=1631052&group_id=139143

If you run SER instead of OpenSER you may have to fiddle with the patch 
slightly..

A modified version of the patch has been applied to openser cvs. (See the 
comments for details)

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070129/b615794f/attachment.pgp>

More information about the Freeradius-Users mailing list