"Invalid packet code 11 sent to authentication port from client" error

Alan DeKok aland at deployingradius.com
Fri Mar 19 18:56:26 CET 2010

Rob Brickhouse wrote:
> I hope someone can help me with this. I tested setting up freeradius
> 2.1.6 on an opensuse 10.2 box and was able to get everything
> authenticating against novell edirectory. Now that I'm finally ready to
> put it on my production box, only 2.1.8 is available but I figure no big
> deal since it appeared to have alot of fixes. After going through and
> setting everything up like I did before, I can use my test utility to
> verify that I can successfully read the username and password from
> edirectory but I get the message "Invalid packet code 11 sent to
> authentication port from client TESAP8 port 1041 : IGNORED" when my
> Netgear access point connects.

  The AP is broken.  Throw it in the garbage and buy one that implements

> I can change the ip to my 2.1.6
> freeradius box and it works so I don't think the issue is with my AP
> even though that is what the message seems to indicate.

  I don't see why that would make any difference.  What does the debug
log from 2.1.6 look like?

> Sending Access-Challenge of id 20 to port 1041
>  EAP-Message = 0x010100160410eae98bafd4b076dcf8b6341b415000fe
>  Message-Authenticator = 0x00000000000000000000000000000000
>  State = 0x731ac834731bcca6975b39a87528fad1
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Invalid packet code 11 sent to authentication port from client TESAP8
> port 1041 : IGNORED

  IIRC, this is similar to a bug seen before.  If it sees an
Access-Challenge with State *after* Message-Authenticator, it "bounces"
the packet back to the RADIUS server.  This is two errors:

 1) order of attributes does not matter
 2) clients do not send Access-Challenge to a server.

  There is NO WAY that an AP should send an Access-Challenge to a
server.  If it does, then the AP is horribly broken.

  My guess is that this is a very old AP using a broken firmware image.
 Or, it's a new one, and the vendor didn't bother to implement RADIUS

  Alan DeKok.

More information about the Freeradius-Users mailing list