problem with radclient

Vladimir Grujić Vladimir.Grujic at oriontelekom.rs
Wed Oct 17 11:48:35 CEST 2012


I am just pointing out that this is not occurring when packet is sent directly over wire without PACKET-Src-IP-Address mangling over originating ip on another setup (same binaries) to the same nas.

Vladimir

________________________________________
From: freeradius-devel-bounces+vladimir.grujic=oriontelekom.rs at lists.freeradius.org [freeradius-devel-bounces+vladimir.grujic=oriontelekom.rs at lists.freeradius.org] on behalf of Arran Cudbard-Bell [a.cudbardb at freeradius.org]
Sent: Wednesday, October 17, 2012 11:31 AM
To: FreeRadius developers mailing list
Subject: Re: problem with radclient

>
>
> rad_recv: Disconnect-ACK packet from host 1.1.1.1 port 3799, id=110, length=43
> rad_verify: Received Disconnect-ACK packet from home server 1.1.1.1 port 3799 with invalid signature!  (Shared secret is incorrect.)
> radclient: no response from server for ID 110 socket 3
>
> user is disconnected properly but radclient does not recognize that response ( I've used just -r 1 in this case, when using -r 3 i see additional packets sent but they of course get a Disconnect-NAK)

No. It does recognise the response, it says pretty explicitly it recognised the response, it's saying that the value of the Message-Authenticator is incorrect.

>
> i traced the communication and only one packet send and one is received.
>
> Looks like the problem is in the logic of rad_verify function when using  Packet-Src-IP-Address.

Have you actually verified the Message-Authenticator returned in the Disconnect-Ack is correct?

      When a Message-Authenticator Attribute is included within a CoA-
      ACK, CoA-NAK, Disconnect-ACK, or Disconnect-NAK, it is calculated
      as follows:

         Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
         Request Authenticator, Attributes)

      When the HMAC-MD5 message integrity check is calculated, the
      Message-Authenticator Attribute MUST be considered to be sixteen
      octets of zero.  The Request Authenticator is taken from the
      corresponding CoA/Disconnect-Request.  The Message-Authenticator
      is calculated and inserted in the packet before the Response
      Authenticator is calculated.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html


More information about the Freeradius-Devel mailing list