[Access-Accept with shared key incorrect]

Thomas Fagart tfagart at brozs.net
Fri Jul 3 13:06:28 CEST 2009 

Hello,

We use freeradius as a proxy server successfuly with many home server. But
Today with a new customer we're having an issue with shared key.
Here are some debugs.

srv-orhy# radiusd -v
radiusd: FreeRADIUS Version 2.1.3, for host x86_64-unknown-freebsd6.1,
built on Dec 16 2008 at 23:42:12


Sending Access-Request of id 22 to X.X.X.X port 1645
        User-Name = "toto at toto"
        Acct-Session-Id = "erx GigabitEthernet 1/0.11074:11-74:0041982426"
        CHAP-Password = 0x9005d4c0511e1344a478d2e04ce155b0e2
        CHAP-Challenge =
0xd7872df753f8fd7becff63c4298c36bf7a066335ebe758754c3b1fded3
        Service-Type = Framed-User
        Framed-Protocol = PPP
        ERX-Pppoe-Description = "pppoe 00:1f:9f:4c:68:88"
        Calling-Station-Id = "#bas-val92-01#E10#74"
        NAS-Port-Type = Virtual
        NAS-Port = 268435530
        NAS-Port-Id = "dsl-val92-02 atm 0/3/0/1:8.35 "
        NAS-IP-Address = Y.Y.Y.Y
        NAS-Identifier = "bas-val92-01"
        Proxy-State = 0x313338
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host X.X.X.X port 1645, id=22,
length=131
Received Access-Accept packet from client X.X.X.X port 1645 with invalid
signature (err=2)!  (Shared secret is incorrect.) Dropping packet without
response.

At first, we though that was a dumb story about not having the same secret
at both side. But after having tried many times, we think it's something
else.

Using radtest from the proxy with the correct secret (eg the same that the
one which is in proxy.conf) gives a correct answer

srv-orhy#  radtest toto at toto pipo X.X.X.X:1645 268435530 secret
Sending Access-Request of id 192 to X.X.X.X port 1645
        User-Name = "toto at toto"
        User-Password = "pipo"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 268435530
rad_recv: Access-Reject packet from host 194.158.122.20 port 1645, id=192,
length=34
        Vendor-Specific = 0x00004e200000000000000008

In that case the home server radius response (even if this is a reject) is
properly decoded by the proxy.

Do you have any clue about this issue ?

Best Regards

Thomas

More information about the Freeradius-Users mailing list