Weird shared secret issues

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Thu May 1 14:09:14 CEST 2008


Hi,

	I have a record for 127.0.0.1, and for the ip of the machine
itself (Fixed dedicated IP).

	The end result is that I found that no matter what IP I
used to pass on the NAS-IP-Address, it used the machines IP to match
the secret. The problem I had is we placed the device out in the field,
and I wanted to verify the tech used the right secret. I was hoping to
be able to tell radclient to "pretend" it was another IP, and therefore
search for that IPs secret to try. Unfortunately, it doesn't seem like
it has that capability. I don't understand what use then is the ability
to change the NAS-IP-Address if it still only cared about the secret
for the local machine.

		Thanks, Tuc
> 
> Hey Tuc,
> 
> This might happen because of interface changes.
> Also add a record to the nas table for the 127.0.0.1 ip address (or the
> other
> IP address you have configured on your ethernet interface).
> And I'm also assuming you have configured the nas table in sql.conf
> 
> 
> Regards,
> Liran Tal.
> 
> On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET <ml at t-b-o-h.net> wrote=
> :
> 
> > Hi,
> >
> >        Running FreeRadius 2.0.3 built from source on Centos 5.1 with
> > a Mysql 5.0.45 back end.
> >
> >        We've been doing testing on our setup for MONTHS (First FR1,
> > now FR2) and its been flawless. Today we went to put our first unit into
> > production and am having issues.
> >
> >        We are reading NAS from SQL. The entry is :
> >
> > (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N=
> 4zT','First
> > Install')
> >
> >        From the user table I have :
> >
> > (1, 'tuc','User-Password',':=3D','PLAINTEXT')
> >
> >        And when I run :
> >
> > #!/bin/sh
> > (echo 'User-Name =3D "tuc"'
> > echo 'User-Password =3D "PLAINTEXT"'
> > echo 'NAS-IP-Address =3D 192.168.25.13'
> > echo 'NAS-Port =3D 0') | /usr/local/bin/radclient -x localhost auth
> >  KhLcPALLdzTcJs3f
> >
> >        I get :
> >
> > [root at ports ~]# sh TESTRAD
> >        User-Name =3D "tuc"
> >        User-Password =3D "PLAINTEXT"
> >        NAS-IP-Address =3D 192.168.25.13
> >        NAS-Port =3D 0
> > rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812
> > with invalid signature (err=3D2)!  (Shared secret is incorrect.)
> >
> >        and in radius.log I see :
> >
> > Wed Apr 30 16:38:43 2008 : Auth: Login incorrect:
> > [tuc/eY\261=E3=A1(c)\226`\305\020y\366/=C2?\333] (from client localhost p=
> ort 0)
> >
> >
> >
> >        HELP... I can't see what I'm doing wrong.
> >
> >                Thanks, Tuc
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> 
> ------=_Part_6964_29469845.1209627227987
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
> 
> Hey Tuc,<br><br>This might happen because of interface changes.<br>Also add=
>  a record to the nas table for the <a href=3D"http://127.0.0.1">127.0.0.1</=
> a> ip address (or the other<br>IP address you have configured on your ether=
> net interface).<br>
> And I'm also assuming you have configured the nas table in sql.conf<br>=
> <br><br>Regards,<br>Liran Tal.<br><br><div class=3D"gmail_quote">On Wed, Ap=
> r 30, 2008 at 11:41 PM, Tuc at <a href=3D"http://T-B-O-H.NET">T-B-O-H.NET</=
> a> <<a href=3D"mailto:ml at t-b-o-h.net">ml at t-b-o-h.net</a>> wrote:<br>
> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
> 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br>
> <br>
>         Running FreeRadius 2.0.3 built from source on C=
> entos 5.1 with<br>
> a Mysql 5.0.45 back end.<br>
> <br>
>         We've been doing testing on our setup for M=
> ONTHS (First FR1,<br>
> now FR2) and its been flawless. Today we went to put our first unit into<br=
> >
> production and am having issues.<br>
> <br>
>         We are reading NAS from SQL. The entry is :<br>
> <br>
> (3,'<a href=3D"http://192.168.25.13" target=3D"_blank">192.168.25.13</a=
> >','SBC-1918','other',0,'KhLcPALLdzTcJs3f',&#39=
> ;GLRXTAFLfhf3N4zT','First Install')<br>
> <br>
>         From the user table I have :<br>
> <br>
> (1, 'tuc','User-Password',':=3D','PLAINTEXT&#39=
> ;)<br>
> <br>
>         And when I run :<br>
> <br>
> #!/bin/sh<br>
> (echo 'User-Name =3D "tuc"'<br>
> echo 'User-Password =3D "PLAINTEXT"'<br>
> echo 'NAS-IP-Address =3D <a href=3D"http://192.168.25.13" target=3D"_bl=
> ank">192.168.25.13</a>'<br>
> echo 'NAS-Port =3D 0') | /usr/local/bin/radclient -x localhost auth=
>   KhLcPALLdzTcJs3f<br>
> <br>
>         I get :<br>
> <br>
> [root at ports ~]# sh TESTRAD<br>
>         User-Name =3D "tuc"<br>
>         User-Password =3D "PLAINTEXT"<br>
>         NAS-IP-Address =3D <a href=3D"http://192.168.25=
> .13" target=3D"_blank">192.168.25.13</a><br>
>         NAS-Port =3D 0<br>
> rad_verify: Received Access-Reject packet from client <a href=3D"http://127=
> .0.0.1" target=3D"_blank">127.0.0.1</a> port 1812 with invalid signature (e=
> rr=3D2)!  (Shared secret is incorrect.)<br>
> <br>
>         and in radius.log I see :<br>
> <br>
> Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261=E3=A1©\2=
> 26`\305\020y\366/=C2?\333] (from client localhost port 0)<br>
> <br>
> <br>
> <br>
>         HELP... I can't see what I'm doing wron=
> g.<br>
> <br>
>                 Thanks, Tuc<br>
> <br>-<br>
> List info/subscribe/unsubscribe? See <a href=3D"http://www.freeradius.org/l=
> ist/users.html" target=3D"_blank">http://www.freeradius.org/list/users.html=
> </a><br></blockquote></div><br>
> 
> ------=_Part_6964_29469845.1209627227987--
> 
> --===============1703607565==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> --===============1703607565==--
> 




More information about the Freeradius-Users mailing list