Invalid reply digest received? Password encryption?

Jim Whitescarver jimscarver at gmail.com
Thu Jun 9 23:11:14 CEST 2011 

Freeradius reports "Sending Access-Accept " (see log below) but we are
getting the message on our Cisco VPN box

"Radius: Invalid reply digest received; the shared-secret may be incorrect"

We have triple checked the shared secrete and it is correct.  With the
wrong secrete it does not authenticate at all.  Any ideas on what else
might be causing that?

Also, the password comes from the Cisco VPN to freeradius encrypted.
I had to resort to including the token in the userid field to make it
work.  Any ideas how to decrypt the password?  I have tried some tools
on the net like cisco-decrypt but it says the encrypted password I
give it is invalid.  I notice users in the users file are
authenticated properly although the password is encrytped.   I  need
to decrypt the password in my python module.

Thanks,

Jim


Ready to process requests.

rad_recv: Access-Request packet from host 135.207.5.9 port 1936,
id=173, length=133

        User-Name = "jw701e%1307649138237"

        User-Password = "||\027\327j=\225\035|\376\0221\376j\366`"

        NAS-Port = 2017

        Service-Type = Framed-User

        Framed-Protocol = PPP

        Called-Station-Id = "204.178.3.9"

        Calling-Station-Id = "204.178.9.131"

        Tunnel-Client-Endpoint:0 = "204.178.9.131"

        NAS-IP-Address = 135.207.5.9

        NAS-Port-Type = Virtual

# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "jw701e%1307649138237", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

*** authorize ***

*** RADlog call in authorize ***

(('User-Name', '"jw701e%1307649138237"'), ('User-Password',
'"||\\027\\327j=\\225\\035|\\376\\0221\\376j\\366`"'), ('NAS-Port',
'2017'), ('Service-Type', 'Framed-User'), ('Framed-Protocol', 'PPP'),
('Called-Station-Id', '"204.178.3.9"'), ('Calling-Station-Id',
'"204.178.9.131"'), ('Tunnel-Client-Endpoint:0', '"204.178.9.131"'),
('NAS-IP-Address', '135.207.5.9'), ('NAS-Port-Type', 'Virtual'))

User-Name: "jw701e%1307649138237"

User-Password: "||\027\327j=\225\035|\376\0221\376j\366`"

NAS-Port: 2017

Service-Type: Framed-User

Framed-Protocol: PPP

Called-Station-Id: "204.178.3.9"

Calling-Station-Id: "204.178.9.131"

Tunnel-Client-Endpoint:0: "204.178.9.131"

NAS-IP-Address: 135.207.5.9

NAS-Port-Type: Virtual

User: jw701e%1307649138237 Pwd: ||\027\327j=\225\035|\376\0221\376j\366`

Userid: jw701e at research.att.com Pwd: 1307649138237

Authenticate User: jw701e

SAFE authentication successful: jw701e

++[python] returns ok

[files] users: Matched entry DEFAULT at line 1

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.

++[pap] returns noop

Found Auth-Type = PYTHON

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group PYTHON {...}

++[python] returns ok

# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 173 to 135.207.5.9 port 1936

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 0 ID 173 with timestamp +13

Ready to process requests.

More information about the Freeradius-Users mailing list