Proxy and clear-text password

Luis Galan radius at claranet.es
Wed Jul 4 13:38:30 CEST 2007 

Hello!

great!! Fantastic!!
it works!!

Thank you very much for your help. You put me in the right direction and 
you help me to understand the whole thing.
You should work as a teacher :-)

I was really lost!

Thanks
Luis


Marcel De Boer escribió:
> Hi!
> 
>> The secret key between nas and radius1 is right.
>>
>> In debug mode I receive a clear password:
>>
>> Sending Access-Request of id 0 to radius2 port 1645
>>          User-Password = "estestA243"
>> <...>
>>   
> 
> This does not mean you receive a cleartext password, it only means that 
> the shared secret between the nas and radius1 is correct. The password 
> is always encrypted on the network, using the shared secret (try it, put 
> a tcpdump between the nas and radius1). In debugging mode, FreeRADIUS 
> doesn't print the packet literally as it is on the network, but it tries 
> to decrypt the password first.
> 
>> rad_recv: Access-Reject packet from host radius2:1645, id=0, length=85
>> Received Access-Reject packet from client radius2 port 1645 with invalid 
>> signature (err=2)!  (Shared secret is incorrect.) Dropping packet 
>> without response.
>> Finished request 0
>>
>>
>> But, with tcpdump, I only see garbage and radius2 receive garbage.
>>   
> 
> As it should, because the password is _always_ encrypted on the wire. If 
> radius2 gives a garbage password in its debug output, it means that it 
> couldn't decode the password because the shared secrets between radius1 
> and radius2 are not configured to be the same. The error above, which 
> you receive on radius1 makes this very clear, because radius1 can 
> immediately see from the reply that the shared secret is incorrect (this 
> is not a guess, radius1 can be very sure about this: it calculates a 
> checksum over the reply and the shared secret, if this checksum is not 
> the same as the one radius2 sent in the packet, the shared secret is wrong)
> 
> The only other possibility is that one of your radius servers is so 
> broken that it should never work with any other proxy or NAS because it 
> doesn't calculate its checksums correctly. If both are FreeRADIUS, I 
> really doubt that...
> 
>> And we have checked the secret key between radius1 and radius2 and it is 
>> right. Radius2 detect the access-request as bad password request (it 
>> receives grabage in the password)
>>   
> 
> It's not. The _only_ way radius2 can see that the shared secret is 
> correct in an Access-Request packet is if it is able to decode the 
> password correctly. The password is garbage in the debug log, so radius2 
> couldn't decode the password, ergo: the shared secret is wrong.
> 
>> There is others local users in radius1 working fine, using teh same nas 
>> and shared secret.
>>   
> 
> This only means that the shared secret between the NAS and radius1 is 
> configured correctly, not that the one between radius1 and radius2 is 
> correct. (Note, you didn't post any configuration files, but from what I 
> could find here (don't have any proxy experience), the shared secret on 
> radius2 is not the same as the one between the NAS and radius1. The 
> shared secret between radius1 and radius2 should be configured in 
> clients.conf on radius2 and in proxy.conf on radius1. Any comments on 
> this from proxy-users are welcome...)
> 
> Gtnx
>     Marcel
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list