rad_verify: Received Disconnect-ACK packet from home server with invalid signature! (Shared secret is incorrect.) for CoA, and PoD

Martin martynion at yahoo.com
Wed Sep 7 11:15:14 CEST 2011 

Hi,

I am trying CoA and DM with Alvarion ASN-GW and all the time I see Shared secret is incorrect for the AcK/NaK messagess received from the ASN. With other AAA, based also on FR, it is not happeing.

No.     Time        Source                Destination           Protocol Info
      1 0.000000    192.168.60.28         192.168.60.122        RADIUS   Disconnect-Request(40) (id=28, l=126)

Frame 1: 168 bytes on wire (1344 bits), 168 bytes captured (1344 bits)
    Arrival Time: Sep  7, 2011 11:56:04.799904000 E. Europe Daylight Time
    Epoch Time: 1315385764.799904000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 168 bytes (1344 bits)
    Capture Length: 168 bytes (1344 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:radius]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: IntelCor_3d:2f:ef (00:1b:21:3d:2f:ef), Dst: Cisco_82:0b:0c (00:23:33:82:0b:0c)
    Destination: Cisco_82:0b:0c (00:23:33:82:0b:0c)
        Address: Cisco_82:0b:0c (00:23:33:82:0b:0c)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: IntelCor_3d:2f:ef (00:1b:21:3d:2f:ef)
        Address: IntelCor_3d:2f:ef (00:1b:21:3d:2f:ef)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.60.28 (192.168.60.28), Dst: 192.168.60.122 (192.168.60.122)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 154
    Identification: 0xe708 (59144)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x9963 [correct]
        [Good: True]
        [Bad: False]
    Source: 192.168.60.28 (192.168.60.28)
    Destination: 192.168.60.122 (192.168.60.122)
User Datagram Protocol, Src Port: 44512 (44512), Dst Port: radius-dynauth (3799)
    Source port: 44512 (44512)
    Destination port: radius-dynauth (3799)
    Length: 134
    Checksum: 0x46c1 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: Disconnect-Request (40)
    Packet identifier: 0x1c (28)
    Length: 126
    Authenticator: d87a22f8d9e48cb34e67b846c34f78c7
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=46  t=User-Name(1): 6323AFDFB8A0E5AAB2582D5F39DF038D at alvarion.ro
            User-Name: 6323AFDFB8A0E5AAB2582D5F39DF038D at alvarion.ro
        AVP: l=41  t=Vendor-Specific(26) v=WiMAX(24757)
            VSA: l=35 t=WiMAX-AAA-Session-Id(4) C=0x00: 313865643938336633633233373163366634626336393265...
                WiMAX-AAA-Session-Id: 313865643938336633633233373163366634626336393265...
        AVP: l=19  t=Calling-Station-Id(31): 00-17-c4-3d-41-ea
            Calling-Station-Id: 00-17-c4-3d-41-ea

0000  00 23 33 82 0b 0c 00 1b 21 3d 2f ef 08 00 45 00   .#3.....!=/...E.
0010  00 9a e7 08 00 00 40 11 99 63 c0 a8 3c 1c c0 a8   ...... at ..c..<...
0020  3c 7a ad e0 0e d7 00 86 46 c1 28 1c 00 7e d8 7a   <z......F.(..~.z
0030  22 f8 d9 e4 8c b3 4e 67 b8 46 c3 4f 78 c7 01 2e   ".....Ng.F.Ox...
0040  36 33 32 33 41 46 44 46 42 38 41 30 45 35 41 41   6323AFDFB8A0E5AA
0050  42 32 35 38 32 44 35 46 33 39 44 46 30 33 38 44   B2582D5F39DF038D
0060  40 61 6c 76 61 72 69 6f 6e 2e 72 6f 1a 29 00 00   @alvarion.ro.)..
0070  60 b5 04 23 00 31 38 65 64 39 38 33 66 33 63 32   `..#.18ed983f3c2
0080  33 37 31 63 36 66 34 62 63 36 39 32 65 30 63 38   371c6f4bc692e0c8
0090  39 64 66 66 65 1f 13 30 30 2d 31 37 2d 63 34 2d   9dffe..00-17-c4-
00a0  33 64 2d 34 31 2d 65 61                           3d-41-ea

No.     Time        Source                Destination           Protocol Info
      2 0.006588    192.168.60.122        192.168.60.28         RADIUS   Disconnect-ACK(41) (id=28, l=20)

Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
    Arrival Time: Sep  7, 2011 11:56:04.806492000 E. Europe Daylight Time
    Epoch Time: 1315385764.806492000 seconds
    [Time delta from previous captured frame: 0.006588000 seconds]
    [Time delta from previous displayed frame: 0.006588000 seconds]
    [Time since reference or first frame: 0.006588000 seconds]
    Frame Number: 2
    Frame Length: 62 bytes (496 bits)
    Capture Length: 62 bytes (496 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:radius]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Cisco_82:0b:0c (00:23:33:82:0b:0c), Dst: IntelCor_3d:2f:ef (00:1b:21:3d:2f:ef)
    Destination: IntelCor_3d:2f:ef (00:1b:21:3d:2f:ef)
        Address: IntelCor_3d:2f:ef (00:1b:21:3d:2f:ef)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_82:0b:0c (00:23:33:82:0b:0c)
        Address: Cisco_82:0b:0c (00:23:33:82:0b:0c)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.60.122 (192.168.60.122), Dst: 192.168.60.28 (192.168.60.28)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x0034 (52)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 63
    Protocol: UDP (17)
    Header checksum: 0x41a2 [correct]
        [Good: True]
        [Bad: False]
    Source: 192.168.60.122 (192.168.60.122)
    Destination: 192.168.60.28 (192.168.60.28)
User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 44512 (44512)
    Source port: radius-dynauth (3799)
    Destination port: 44512 (44512)
    Length: 28
    Checksum: 0x9131 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: Disconnect-ACK (41)
    Packet identifier: 0x1c (28)
    Length: 20
    Authenticator: e175db63a6510f8f0e0319352deac6d8
    [This is a response to a request in frame 1]
    [Time from request: 0.006588000 seconds]

0000  00 1b 21 3d 2f ef 00 23 33 82 0b 0c 08 00 45 00   ..!=/..#3.....E.
0010  00 30 00 34 40 00 3f 11 41 a2 c0 a8 3c 7a c0 a8   .0.4 at .?.A...<z..
0020  3c 1c 0e d7 ad e0 00 1c 91 31 29 1c 00 14 e1 75   <........1)....u
0030  db 63 a6 51 0f 8f 0e 03 19 35 2d ea c6 d8         .c.Q.....5-...

 
Martin Ion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110907/c568a5ff/attachment.html>

More information about the Freeradius-Users mailing list