On Dec 11, 2019, at 4:19 PM, Min Wang <Min.Wang@theice.com> wrote:
The shared secret is correct tested with radtest and PostgreSQL 9
Is it correct with PG 11? And what does the server send back? Reading the debug output helps. The PG 11 code is online at: https://github.com/postgres/postgres/blob/master/src/backend/libpq/auth.c#L3... It looks like it's wrong. :( i.e. it does the right calculations most of the time. But if the Access-Accept contains a Message-Authenticator attribute, then PostgreSQL code is wrong. Edit the FR configuration to delete the Message-Authenticator attribute from the reply: post-auth { ... if (!EAP-Message) { update reply { Message-Authenticator !* ANY } } } I suspect that will make it work. Alan DeKok.