problem with radclient
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Oct 17 12:15:30 CEST 2012
On 17 Oct 2012, at 10:48, Vladimir Grujić <Vladimir.Grujic at oriontelekom.rs> wrote:
> I am just pointing out that this is not occurring when packet is sent directly over wire without PACKET-Src-IP-Address mangling over originating ip on another setup (same binaries) to the same nas.
... so the NAS probably doesn't have the correct shared secret associated with the src IP address in the packet. Check your traces to see that it's set to what you expect.
In your attribute list include the AVP:
Message-Authenticator = 0x00
your NAS will probably stop responding to disconnect requests (if it actually validates the Message-Authenticator).
Read through the code in radclient.c
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/main/radclient.c#L819
The call to rad_verify is just using the secret specified on the command line, it is not dependent on src IP address. UDP packet headers are *NOT* used when calculating the Message-Authenticator as shown by the RFC snippet I posted previously.
-Arran
More information about the Freeradius-Devel
mailing list