Dear everybody, I've installed the radius 's CVS version of 08-02-06. I've this architecture : client < ====> AP <====> Radius A <====> Radius B proxying with proxy.conf file : realm NULL { type = radius authhost = LOCAL accthost = LOCAL } realm AAA { type = radius authhost = LOCAL accthost = LOCAL type = radius } realm BBB { type = radius authhost = 147.173.3.249:1812 accthost = 147.173.3.249:1813 secret = RaDCNRSgreCentr1 nostrip } # This realm is for ALL OTHER requests. ## realm DEFAULT { type = radius authhost = anIP@:1812 accthost = anIP@:1813 secret = RaDCNRSgreCentr1 nostrip } I tried to use the proxy's configuration between the Server A and the Server B. the server A sent an Access-Request proxied to the Server B. When the server B answered to the proxy-request by an Acces-Chalenge request proxied, I had an error message like this : "Received Unknown packet code 11from client 147.173.3.249 port 1812: Cannot validate signature Dropping packet without response." So I searched for what could cause this error and I think I found it in the radius.c file, at the end of the rad_verify function. in the last switch-case code : /* * Calculate and/or verify digest. */ switch(packet->code) { int rcode; char buffer[32]; case PW_AUTHENTICATION_REQUEST: case PW_STATUS_SERVER: case PW_DISCONNECT_REQUEST: /* * The authentication vector is random * nonsense, invented by the client. */ break; case PW_ACCOUNTING_REQUEST: if (calc_acctdigest(packet, secret) > 1) { librad_log("Received Accounting-Request packet " "from %s with invalid signature! (Shared secret is incorrect.)", inet_ntop(packet->src_ipaddr.af, &packet->src_ipaddr.ipaddr,buffer, sizeof(buffer))); return -1; } break; /* Verify the reply digest */ case PW_AUTHENTICATION_ACK: case PW_AUTHENTICATION_REJECT: case PW_ACCOUNTING_RESPONSE: rcode = calc_replydigest(packet,original, secret); if (rcode > 1) { librad_log("Received %s packet " "from client %s port %d with invalid signature (err=%d)! (Shared secret is incorrect.)",packet_codes[packet->code], inet_ntop(packet->src_ipaddr.af, &packet->src_ipaddr.ipaddr,buffer, sizeof(buffer)),packet->src_port, rcode); return -1; } break; default: librad_log("Received Unknown packet code %d" "from client %s port %d: Cannot validate signature", packet->code,inet_ntop(packet->src_ipaddr.af, &packet->src_ipaddr.ipaddr, buffer,sizeof(buffer)), packet->src_port); return -1; } There was no case of Acces challenge resquest ,I added it (case PW_ACCESS_CHALLENGE). And now the proxy request works ! I would like to know if the change is correct and if somebody already had this error . Your sincerly. --------------------------------- Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Mitaine Yoann <ymitaine@yahoo.fr> wrote:
There was no case of Acces challenge resquest ,I added it (case PW_ACCESS_CHALLENGE). And now the proxy request works ! I would like to know if the change is correct and if somebody already had this error .
It's a bug, and a fairly stupid one at that. I can't help but feel at least partially responsible, as I was the last one who touched that code. I'll commit a fix shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
Mitaine Yoann