Hi Alan, As you suggested I ran the server with -Xxxx flag and radclient with -xxx While it increased the debug level of the server, it did not change the output of the radclient. So i went forward and ran radsniff on both sides Attached are server2.txt (server log), radclient2.txt (radclient log), radsniff_client2.txt (radsniff output for the client) and radsniff_server2.txt (radsniff output for the server)
From what I see the final message from the server has exactly the same values as on client side, which means nothing changing the packet
Server: 2023-10-31 20:30:12.255945 (4) Disconnect-ACK Id 167 enp0s3: 192.168.2.227:42310 <- 192.168.2.157:3799 +0.002 +0.002 Event-Timestamp = "Oct 31 2023 20:30:12 UTC" Message-Authenticator = 0x680699937a7133452ba8dabe0e179856 Authenticator-Field = 0xf8c3e20b55fa591208f37ada73872184 Client: 2023-10-31 14:30:12.247761 (2) Disconnect-ACK Id 167 enp0s3: 192.168.2.227:42310 <- 192.168.2.157:3799 +0.002 +0.002 Event-Timestamp = "Oct 31 2023 14:30:12 MDT" Message-Authenticator = 0x680699937a7133452ba8dabe0e179856 Authenticator-Field = 0xf8c3e20b55fa591208f37ada73872184 Thanks, Alex On Tue, Oct 31, 2023 at 1:52 PM Alan DeKok <aland@deployingradius.com> wrote:
Or just run
radclient -xxx ...
and that will print out the hex packet, too.
On Oct 31, 2023, at 3:51 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 31, 2023, at 3:35 PM, Alexander Shulgin <alexs20@gmail.com> wrote:
I am trying to configure the coa proxy in latest Radius docker image
3.2.3.
I have defined a client with a proper shared secret (message initiator)
and
also defined a home server with a shared secret (message destination). When I send the CoA message I see in debug that the radius server is proxying the request, the NAS at destination receiving it, it responds back to the radius server and then the radius server forwards that message back to the initiator.
That's good. The Disconnect-Request packet is signed with the shared secret, so the server verifies it before processing the packet.
The problem is when I receive the final message from the radius server it has invalid message-authenticator.
Something is modifying the packet in transit.
Run the server with -Xxxx (one of the few times this is necessary). It should print out the Disconnect-Request packet as hex.
Run "radsniff" one the client, and it will print out the hex version of the packet it received.
If they're different, then something is mangling the reply before radclient sees it.
If the packets are the same, then something extremely weird is going on.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html