On Nov 9, 2018, at 12:58 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Nov 7, 2018, at 4:47 PM, Sam T <givemesam@gmail.com> wrote:
Hi!
We are getting close to a workable solution with freeradius!
When running freeradius in debug mode we can see that sometimes it comes in correctly, and other times in some kind of junky value.
The shared secret is wrong. If your NAS supports Message-Authenticator, enable it and FreeRADIUS will tell you that the shared secret is wrong.
The other things it could be are an intermediary proxy, not decrypting/re-encrypting the password value correctly. Bytes being overwritten in the message authenticator. Bytes being overwritten in the User-Password attributes. Packets coming from different source IPs (with different shared secrets). Uninitialised memory in the RADIUS client screwing up the encryption, etc.. Use radsniff with captured packets and pass -s to verify it's not a client lookup issue. Send packets directly if you're using a proxy. Verify PCAPs on the NAS and RADIUS server have the same content. -Arran