"Invalid packet code 11 sent to authentication port from client" error

Rob Brickhouse crbrickhouse at gmail.com
Thu Mar 25 15:08:40 CET 2010

Is it possible the issue is with the network card in the server and not the
AP's? I've tried setting it up on another machine and everything works on it
exactly as configured. Using a Cisco AP didn't work and the version of
freeradius I install on the box reporting errors doesn't make a difference
either since I downloaded and installed 2.1.6 identical to my test machine
and got the same errors. In any event I think I'm going to move DNS/DHCP to
my test box and and then switch it to my production unit. Thanks for the
help guys.

On Fri, Mar 19, 2010 at 1:56 PM, Alan DeKok <aland at deployingradius.com>wrote:

> Rob Brickhouse wrote:
> > I hope someone can help me with this. I tested setting up freeradius
> > 2.1.6 on an opensuse 10.2 box and was able to get everything
> > authenticating against novell edirectory. Now that I'm finally ready to
> > put it on my production box, only 2.1.8 is available but I figure no big
> > deal since it appeared to have alot of fixes. After going through and
> > setting everything up like I did before, I can use my test utility to
> > verify that I can successfully read the username and password from
> > edirectory but I get the message "Invalid packet code 11 sent to
> > authentication port from client TESAP8 port 1041 : IGNORED" when my
> > Netgear access point connects.
>  The AP is broken.  Throw it in the garbage and buy one that implements
> > I can change the ip to my 2.1.6
> > freeradius box and it works so I don't think the issue is with my AP
> > even though that is what the message seems to indicate.
>  I don't see why that would make any difference.  What does the debug
> log from 2.1.6 look like?
> ...
> > Sending Access-Challenge of id 20 to port 1041
> >  EAP-Message = 0x010100160410eae98bafd4b076dcf8b6341b415000fe
> >  Message-Authenticator = 0x00000000000000000000000000000000
> >  State = 0x731ac834731bcca6975b39a87528fad1
> > Finished request 1.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > Invalid packet code 11 sent to authentication port from client TESAP8
> > port 1041 : IGNORED
>  IIRC, this is similar to a bug seen before.  If it sees an
> Access-Challenge with State *after* Message-Authenticator, it "bounces"
> the packet back to the RADIUS server.  This is two errors:
>  1) order of attributes does not matter
>  2) clients do not send Access-Challenge to a server.
>  There is NO WAY that an AP should send an Access-Challenge to a
> server.  If it does, then the AP is horribly broken.
>  My guess is that this is a very old AP using a broken firmware image.
>  Or, it's a new one, and the vendor didn't bother to implement RADIUS
> correctly.
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100325/4b84c08b/attachment.html>

More information about the Freeradius-Users mailing list