Proxy and clear-text password

Marcel De Boer marcel.de_boer at alcatel-lucent.be
Tue Jul 3 08:58:36 CEST 2007 

Hi!

> The secret key between nas and radius1 is right.
>
> In debug mode I receive a clear password:
>
> Sending Access-Request of id 0 to radius2 port 1645
>          User-Password = "estestA243"
> <...>
>   

This does not mean you receive a cleartext password, it only means that 
the shared secret between the nas and radius1 is correct. The password 
is always encrypted on the network, using the shared secret (try it, put 
a tcpdump between the nas and radius1). In debugging mode, FreeRADIUS 
doesn't print the packet literally as it is on the network, but it tries 
to decrypt the password first.

> rad_recv: Access-Reject packet from host radius2:1645, id=0, length=85
> Received Access-Reject packet from client radius2 port 1645 with invalid 
> signature (err=2)!  (Shared secret is incorrect.) Dropping packet 
> without response.
> Finished request 0
>
>
> But, with tcpdump, I only see garbage and radius2 receive garbage.
>   

As it should, because the password is _always_ encrypted on the wire. If 
radius2 gives a garbage password in its debug output, it means that it 
couldn't decode the password because the shared secrets between radius1 
and radius2 are not configured to be the same. The error above, which 
you receive on radius1 makes this very clear, because radius1 can 
immediately see from the reply that the shared secret is incorrect (this 
is not a guess, radius1 can be very sure about this: it calculates a 
checksum over the reply and the shared secret, if this checksum is not 
the same as the one radius2 sent in the packet, the shared secret is wrong)

The only other possibility is that one of your radius servers is so 
broken that it should never work with any other proxy or NAS because it 
doesn't calculate its checksums correctly. If both are FreeRADIUS, I 
really doubt that...

> And we have checked the secret key between radius1 and radius2 and it is 
> right. Radius2 detect the access-request as bad password request (it 
> receives grabage in the password)
>   

It's not. The _only_ way radius2 can see that the shared secret is 
correct in an Access-Request packet is if it is able to decode the 
password correctly. The password is garbage in the debug log, so radius2 
couldn't decode the password, ergo: the shared secret is wrong.

> There is others local users in radius1 working fine, using teh same nas 
> and shared secret.
>   

This only means that the shared secret between the NAS and radius1 is 
configured correctly, not that the one between radius1 and radius2 is 
correct. (Note, you didn't post any configuration files, but from what I 
could find here (don't have any proxy experience), the shared secret on 
radius2 is not the same as the one between the NAS and radius1. The 
shared secret between radius1 and radius2 should be configured in 
clients.conf on radius2 and in proxy.conf on radius1. Any comments on 
this from proxy-users are welcome...)

Gtnx
    Marcel

More information about the Freeradius-Users mailing list