problem with radclient
Vladimir.Grujic at oriontelekom.rs
Wed Oct 17 11:48:35 CEST 2012
I am just pointing out that this is not occurring when packet is sent directly over wire without PACKET-Src-IP-Address mangling over originating ip on another setup (same binaries) to the same nas.
From: freeradius-devel-bounces+vladimir.grujic=oriontelekom.rs at lists.freeradius.org [freeradius-devel-bounces+vladimir.grujic=oriontelekom.rs at lists.freeradius.org] on behalf of Arran Cudbard-Bell [a.cudbardb at freeradius.org]
Sent: Wednesday, October 17, 2012 11:31 AM
To: FreeRadius developers mailing list
Subject: Re: problem with radclient
> rad_recv: Disconnect-ACK packet from host 220.127.116.11 port 3799, id=110, length=43
> rad_verify: Received Disconnect-ACK packet from home server 18.104.22.168 port 3799 with invalid signature! (Shared secret is incorrect.)
> radclient: no response from server for ID 110 socket 3
> user is disconnected properly but radclient does not recognize that response ( I've used just -r 1 in this case, when using -r 3 i see additional packets sent but they of course get a Disconnect-NAK)
No. It does recognise the response, it says pretty explicitly it recognised the response, it's saying that the value of the Message-Authenticator is incorrect.
> i traced the communication and only one packet send and one is received.
> Looks like the problem is in the logic of rad_verify function when using Packet-Src-IP-Address.
Have you actually verified the Message-Authenticator returned in the Disconnect-Ack is correct?
When a Message-Authenticator Attribute is included within a CoA-
ACK, CoA-NAK, Disconnect-ACK, or Disconnect-NAK, it is calculated
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes)
When the HMAC-MD5 message integrity check is calculated, the
Message-Authenticator Attribute MUST be considered to be sixteen
octets of zero. The Request Authenticator is taken from the
corresponding CoA/Disconnect-Request. The Message-Authenticator
is calculated and inserted in the packet before the Response
Authenticator is calculated.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
More information about the Freeradius-Devel