RADIUS packet did not have correct Message-Authenticator

Norbert Wegener nw at sbs.de
Fri Dec 16 19:20:47 CET 2005 

I do an eap/tls authentication and after that an ad search. This works 
so far.
But when setting the  groupmembership in the ldap1 section, there are 
problems.
I do not see the usual eap messages flying around, but nevertheless 
radius sends an Access-Accept:

rlm_ldap::ldap_groupcmp: User found in group 515^M
rlm_ldap: ldap_release_conn: Release Id: 0^M
    users: Matched entry DEFAULT at line 25^M
  modcall[authorize]: module "files" returns ok for request 0^M
modcall: leaving group authorize (returns updated) for request 0^M
  rad_check_password:  Found Auth-Type Accept^M
  rad_check_password: Auth-Type = Accept, accepting the user^M
Sending Access-Accept of id 0 to 149.246.133.44 port 32770^M
        Tunnel-Type:0 = VLAN^M
        Tunnel-Medium-Type:0 = 802^M
        Tunnel-Private-Group-Id:0 = "Core1"^M
Finished request 0^M

On the client side, where I have eapol_test, I get an error:

 STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending 
request, round trip time 0.24 sec
No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator - dropped
STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - 
dropping packet
This is from my radiusd.conf:

When it is there, radius  sends an Access-Accept.
ldap ldap1 {
                server = "globalcatalogue"
                port = 3268     #global catalogue server
                identity = "testrad at TDE002.MYDOM.NET"
                password = "mypass"
              basedn = "dc=MYDOM,dc=NET"
        filter = 
"(&(servicePrincipalName=%{Stripped-User-Name:-%{User-Name}})(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
               ldap_debug= 0xFFFF
               timeout = 40
               timelimit = 30
               net_timeout = 10
               tls {
                       start_tls = no
               }
                dictionary_mapping = ${raddbdir}/ldap.attrmap
               groupmembership_attribute = "primaryGroupID"
               }

authorize {
       preprocess
       eap
       ldap1 {
               notfound = reject
               }
        files
}
The complete output of radius -AX is lengthy and therefore nor included. 
It can be found at:
http://www.wegener-net.de/fr/bad-group , where the error occurs,
http://www.wegener-net.de/fr/ok-nogroup , where the authentication works 
as expected.
As mentioned above,  the only difference in the configuration is the use 
of groupmembership.

Any hints are really appreciated.
Thanks
Norbert Wegener

More information about the Freeradius-Users mailing list