On 22/10/15 17:49, Alan DeKok wrote:
On Oct 22, 2015, at 11:25 AM, Daniel Pocock <daniel@pocock.pro> wrote:
The shared secret was not changed when upgrading the system from Debian wheezy to jessie. We compared the client and server configs and the secret appears to be the same in both. It had all been working fine for quite some time. If nobody has seen anything like this before, I'll try adding some more logging code or running it in a debugger.
<shrug>
a) the shared secret is wrong on the client
b) the shared secret is wrong on the server
c) the client calculates the packet signature incorrectly
d) the server calculates the packet signature incorrectly
Pick one.
You can always run radclient from the client machine, too. That would give you another test.
Some more observations: - we had the password in the radius-servers file. If we put the password on the authserver line in the radius-config file instead, then everything works again. E.g. we change from: authserver some-server to authserver some-server:1812:<secret> - I also tried using radcli instead of freeradius-client. radcli logs a syslog error about not being able to read the radius-servers file Nothing had been changed in these files, the permissions were fine for the process to read them too. I haven't had time to step through it with a debugger or strace to see what goes wrong when it tries to access the radius-servers file. It is good that radcli warns about the real problem earlier on, as the errors from freeradius-client come much too late.