Proxy Problem maybe a bug!

Mitaine Yoann ymitaine at yahoo.fr
Wed Aug 16 14:45:48 CEST 2006


Dear everybody,

I've installed the radius 's CVS version of 08-02-06.

I've this architecture :
    client < ====> AP <====> Radius A <====> Radius B
                                                                        proxying
with proxy.conf file :

realm NULL {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
}

realm AAA {
        type            = radius
        authhost        = LOCAL
        accthost        = LOCAL
        type            = radius
}

realm BBB {
        type            = radius
        authhost        = 147.173.3.249:1812
        accthost        = 147.173.3.249:1813
        secret          = RaDCNRSgreCentr1
        nostrip
}


#  This realm is for ALL OTHER requests.
##
realm DEFAULT {
        type            = radius
        authhost        = anIP@:1812
        accthost        = anIP@:1813
        secret          = RaDCNRSgreCentr1
        nostrip
}

I tried to use the proxy's configuration between the Server
A and the Server B.
the server A sent an Access-Request proxied to the Server B.

When the server B answered to the proxy-request by an
Acces-Chalenge request proxied,
I had an error message like this :
"Received Unknown packet code 11from client 147.173.3.249
port 1812: Cannot validate signature Dropping packet without
response."

So I searched for what could cause this error and I think
I found it in the radius.c file, at  the end of the rad_verify
function.
in the last switch-case code :

/*
*      Calculate and/or verify digest.
*/
switch(packet->code) {
    int rcode;
    char buffer[32];

    case PW_AUTHENTICATION_REQUEST:
        case PW_STATUS_SERVER:
        case PW_DISCONNECT_REQUEST:
        /*
         *      The authentication vector is random
         *      nonsense, invented by the client.
         */
                        break;
        case PW_ACCOUNTING_REQUEST:
            if (calc_acctdigest(packet, secret) > 1) {
                    librad_log("Received Accounting-Request packet "
                                   "from %s with invalid signature!  (Shared secret is incorrect.)",
                    inet_ntop(packet->src_ipaddr.af,
                    &packet->src_ipaddr.ipaddr,buffer,
                    sizeof(buffer)));
                         return -1;
                 }
                 break;

       /* Verify the reply digest */
       case PW_AUTHENTICATION_ACK:
       case PW_AUTHENTICATION_REJECT:
       case PW_ACCOUNTING_RESPONSE:
           rcode = calc_replydigest(packet,original, secret);
                        if (rcode > 1) {
                            librad_log("Received %s packet "
                                           "from client %s port %d with invalid signature (err=%d)!  (Shared secret is
                    incorrect.)",packet_codes[packet->code],
                    inet_ntop(packet->src_ipaddr.af,
                    &packet->src_ipaddr.ipaddr,buffer,
                    sizeof(buffer)),packet->src_port,
                                        rcode);
                                return -1;
                        }
                        break;
 
        default:
                        librad_log("Received Unknown packet code %d"
                                   "from client %s port %d:
                   Cannot validate signature",
                                   packet->code,inet_ntop(packet->src_ipaddr.af,
                   &packet->src_ipaddr.ipaddr,
                                   buffer,sizeof(buffer)),
                                   packet->src_port);
                        return -1;
        }

There was no case of Acces challenge resquest ,I added it
(case PW_ACCESS_CHALLENGE).
And now the proxy request works !
I would like to know if the change is correct and if somebody already had  this error .

Your sincerly.


 		
---------------------------------
 Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060816/81909d61/attachment.html>


More information about the Freeradius-Users mailing list