On 22/10/15 17:07, Alan DeKok wrote:
On Oct 22, 2015, at 3:21 AM, Daniel Pocock <daniel@pocock.pro> wrote:
We tried that, we can see freeradius is authorizing the requests
libfreeradius-client is logging the following:
rc_check_reply: received invalid reply digest from RADIUS server
So the shared secret is wrong.
I disabled the check in the libfreeradius-client code and everything else appears to work (commenting out the return BADRESP_RC):
Which means anyone can forge replies to authentication packets.
Don't do that. Fix the shared secret.
I'm not suggesting that this change be merged like a pull request The shared secret was not changed when upgrading the system from Debian wheezy to jessie. We compared the client and server configs and the secret appears to be the same in both. It had all been working fine for quite some time. If nobody has seen anything like this before, I'll try adding some more logging code or running it in a debugger. Regards, Daniel