"Invalid packet code 11 sent to authentication port from client" error
Alan DeKok
aland at deployingradius.com
Fri Mar 19 18:56:26 CET 2010
Rob Brickhouse wrote:
> I hope someone can help me with this. I tested setting up freeradius
> 2.1.6 on an opensuse 10.2 box and was able to get everything
> authenticating against novell edirectory. Now that I'm finally ready to
> put it on my production box, only 2.1.8 is available but I figure no big
> deal since it appeared to have alot of fixes. After going through and
> setting everything up like I did before, I can use my test utility to
> verify that I can successfully read the username and password from
> edirectory but I get the message "Invalid packet code 11 sent to
> authentication port from client TESAP8 port 1041 : IGNORED" when my
> Netgear access point connects.
The AP is broken. Throw it in the garbage and buy one that implements
RADIUS.
> I can change the ip to my 2.1.6
> freeradius box and it works so I don't think the issue is with my AP
> even though that is what the message seems to indicate.
I don't see why that would make any difference. What does the debug
log from 2.1.6 look like?
...
> Sending Access-Challenge of id 20 to 10.6.4.108 port 1041
> EAP-Message = 0x010100160410eae98bafd4b076dcf8b6341b415000fe
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x731ac834731bcca6975b39a87528fad1
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> Invalid packet code 11 sent to authentication port from client TESAP8
> port 1041 : IGNORED
IIRC, this is similar to a bug seen before. If it sees an
Access-Challenge with State *after* Message-Authenticator, it "bounces"
the packet back to the RADIUS server. This is two errors:
1) order of attributes does not matter
2) clients do not send Access-Challenge to a server.
There is NO WAY that an AP should send an Access-Challenge to a
server. If it does, then the AP is horribly broken.
My guess is that this is a very old AP using a broken firmware image.
Or, it's a new one, and the vendor didn't bother to implement RADIUS
correctly.
Alan DeKok.
More information about the Freeradius-Users
mailing list