FR with MySQL. Proxying and repeated entries

Paolo Rotela paolo.rotela at bluetelecom.com
Mon Sep 12 22:18:05 CEST 2005 

Hi. I've downloaded, compiled and installed FR 1.0.5, but I'm still 
receiving the same results. the packet is discarded because of an invalid 
Message-Authenticator.

This is part of the output (IP address hidden) for a "radclient" with "-s" 
and "-x" options

rad_recv: Accounting-Response packet from host ******, id=83, length=38
rad_decode: Received packet from ****** with invalid Message-Authenticator! 
(Shared secret is incorrect.)
radclient: radclient.c:440: send_one_packet: Assertion `radclient->reply == 
((void *)0)' failed.
Aborted

Should I modify something at the config to let the Message Authenticator get 
handled correctly?

Also, from a TCPDump I don't see any "Message Authenticator" in the 
Accounting-Request constructed by Radclient. I only see "Message 
Authenticator" in the "Accounting-Response" packet constructed by Cisco ACS 
and received (and discarded) by FR.

Date: Fri, 19 Aug 2005 15:09:23 -0400
From: "Alan DeKok" <aland at ox.org>
Subject: Re: FR with MySQL. Proxying and repeated entries
To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Message-ID: <20050819190923.3D22B16CCA at mail.nitros9.org>

"Paolo Rotela" <paolo.rotela at bluetelecom.com> wrote:
> With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) 
> sends
> an Accounting-Request to that realm and I proxy it to the home server, it
> sends me an Accounting-Response with an (I think) irregular attribute:
> Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in 
> the
> RFC for accounting packets.

  The IETF RADIUS extensions working group has a document which
proposes fixes to a number of issues like this.

> 1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT
> permitted in Accounting-* packets?

  I don't think it's specifically permitted, but it shouldn't be a problem.

> 2) Each time the NAS re-sends packets, FR handles it as it were a new
> packet, for a new call/connection.

  The RFC's say that's what the NAS is supposed to do.  So for
FreeRADIUS, it looks like a new connection.

> 3) Is there any known bug or propietary feature from Cisco wich causes 
> this
> incompatibility thing? I've searched about it and didn't find anything.

  No.  It's a bug in FreeRADIUS.

  I'll put a patch into 1.0.5 that should fix it.

  Alan DeKok.

More information about the Freeradius-Users mailing list