Sometimes passwords are coming in with junk

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Nov 9 19:04:03 CET 2018



> On Nov 9, 2018, at 12:58 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> 
> 
> 
>> On Nov 7, 2018, at 4:47 PM, Sam T <givemesam at gmail.com> wrote:
>> 
>> Hi!
>> 
>> We are getting close to a workable solution with freeradius!
>> 
>> When running freeradius in debug mode we can see that sometimes it comes in
>> correctly, and other times in some kind of junky value.
> 
> The shared secret is wrong.  If your NAS supports Message-Authenticator, enable it and FreeRADIUS will tell you that the shared secret is wrong.

The other things it could be are an intermediary proxy, not decrypting/re-encrypting the password value correctly.

Bytes being overwritten in the message authenticator.  Bytes being overwritten in the User-Password attributes.

Packets coming from different source IPs (with different shared secrets).

Uninitialised memory in the RADIUS client screwing up the encryption, etc..

Use radsniff with captured packets and pass -s to verify it's not a client lookup issue.

Send packets directly if you're using a proxy.

Verify PCAPs on the NAS and RADIUS server have the same content.

-Arran


More information about the Freeradius-Users mailing list