FreeRadius Proxying and Message-Authenticator
Hi. I've downloaded FR 1.0.5 whch is supposed to have a bugfix for Message-Authenticator handling in Accounting-* messages. I've tested with radclient, and I'm still having trouble with this attribute. I've posted about it. After that, I upgraded my FreeRADIUS production server with the new 1.0.5, to see if proxying request it can handle ok the attribute, but I'm still having the same results. The scenario is like this: I'm receiving Accounting packets from a Cisco AS5300 with a FR server (now it's 1.0.5). From those, I'm forwarding some realms to certain customers. There is only one, wich is using Cisco Secure ACS, in wich this is happening. AS5300 sends the Accounting-request packet, FR receives and forwards it (in the detail file I don't see any Message-Authenticator attribute set), ACS receives it and replies with an Accounting-response with a Message-authenticator attribute set. FR receives it and discards it with error: Error: Received packet from <IP address hidden> with invalid Message-Authenticator! (Shared secret is incorrect.) I'am missing something? Any help will be very appreciated. Eng. Paolo Rotela CTO Blue Telecom
"Paolo Rotela" <paolo.rotela@bluetelecom.com> wrote:
Hi. I've downloaded FR 1.0.5 whch is supposed to have a bugfix for Message-Authenticator handling in Accounting-* messages.
The issue is that the suggested method of calculatin Message-Authenticator MAY NOT be the same as what Cisco's using. Because there's no standard, Cisco may be doing almost *anything*.
I'am missing something?
If you can find out the algorithm used by Cisco, we may be able to update FreeRADIUS to handle it. Until then, there isn't much we can do. Alan DeKok.
participants (2)
-
Alan DeKok -
Paolo Rotela