rad_recv: Disconnect-ACK packet from host 1.1.1.1 port 3799, id=110, length=43 rad_verify: Received Disconnect-ACK packet from home server 1.1.1.1 port 3799 with invalid signature! (Shared secret is incorrect.) radclient: no response from server for ID 110 socket 3
user is disconnected properly but radclient does not recognize that response ( I've used just -r 1 in this case, when using -r 3 i see additional packets sent but they of course get a Disconnect-NAK)
No. It does recognise the response, it says pretty explicitly it recognised the response, it's saying that the value of the Message-Authenticator is incorrect.
i traced the communication and only one packet send and one is received.
Looks like the problem is in the logic of rad_verify function when using Packet-Src-IP-Address.
Have you actually verified the Message-Authenticator returned in the Disconnect-Ack is correct? When a Message-Authenticator Attribute is included within a CoA- ACK, CoA-NAK, Disconnect-ACK, or Disconnect-NAK, it is calculated as follows: Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes) When the HMAC-MD5 message integrity check is calculated, the Message-Authenticator Attribute MUST be considered to be sixteen octets of zero. The Request Authenticator is taken from the corresponding CoA/Disconnect-Request. The Message-Authenticator is calculated and inserted in the packet before the Response Authenticator is calculated. -Arran