problem with radclient

Vladimir Grujić Vladimir.Grujic at
Wed Oct 17 11:48:35 CEST 2012

I am just pointing out that this is not occurring when packet is sent directly over wire without PACKET-Src-IP-Address mangling over originating ip on another setup (same binaries) to the same nas.


From: at [ at] on behalf of Arran Cudbard-Bell [a.cudbardb at]
Sent: Wednesday, October 17, 2012 11:31 AM
To: FreeRadius developers mailing list
Subject: Re: problem with radclient

> rad_recv: Disconnect-ACK packet from host port 3799, id=110, length=43
> rad_verify: Received Disconnect-ACK packet from home server port 3799 with invalid signature!  (Shared secret is incorrect.)
> radclient: no response from server for ID 110 socket 3
> user is disconnected properly but radclient does not recognize that response ( I've used just -r 1 in this case, when using -r 3 i see additional packets sent but they of course get a Disconnect-NAK)

No. It does recognise the response, it says pretty explicitly it recognised the response, it's saying that the value of the Message-Authenticator is incorrect.

> i traced the communication and only one packet send and one is received.
> Looks like the problem is in the logic of rad_verify function when using  Packet-Src-IP-Address.

Have you actually verified the Message-Authenticator returned in the Disconnect-Ack is correct?

      When a Message-Authenticator Attribute is included within a CoA-
      ACK, CoA-NAK, Disconnect-ACK, or Disconnect-NAK, it is calculated
      as follows:

         Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
         Request Authenticator, Attributes)

      When the HMAC-MD5 message integrity check is calculated, the
      Message-Authenticator Attribute MUST be considered to be sixteen
      octets of zero.  The Request Authenticator is taken from the
      corresponding CoA/Disconnect-Request.  The Message-Authenticator
      is calculated and inserted in the packet before the Response
      Authenticator is calculated.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Devel mailing list