Proxying with radsec/TLS, Access-Reject leads to "spoofed proxy reply"

Susan Barnes barnes at rrz.uni-koeln.de
Wed Dec 23 16:23:30 CET 2015 

Hello,


I am playing with radsec. I have set up a proxy-connection between our 
staging server and an additional testserver to act as homeserver.

Both servers are v3.0.10.

What I have managed so far is:
The staging-server can contact the homeserver and establish a 
TLS-secured connection.

The staging server sends a request to the homeserver and the homeserver 
will process it.

The homeserver replies.

If the homeserver rejects the Request, the staging-server will not 
accept the reply, but discards it with
"Ignoring spoofed proxy reply. Signature is invalid"

If the homeserver sends an Access-Accept, the staging-server will accept 
the reply.

I have tried the proxy setup without radsec/TLS. In that case both 
Accept and Reject work.


On the homeserver's side I have:


         client radiustest {
                 ipaddr = $STAGING
                 proto = tls
                 secret = radsec
         }


On the staging-server's side I have:

	home_server radiusdevel {
         	ipaddr = $HOME
         	port = 2083
         	type = auth
         	secret = radsec
         	proto = tcp
         	status_check = none

		tls {
			...
         	}
	}


In debug output I first see
on HOME:
(0) SSL Connection Established

on STAGING:
(0) (other): SSL negotiation finished successfully

I assume, that means that I set up the TLS-part correctly.


Then I see
on STAGING:
Listening on proxy (STAGING, 46303) -> home_server (HOME, 2083)
Waking up in 0.2 seconds.
(0) Proxying request to home server HOME port 2083 (TLS) timeout 10.000000
(0) Sent Access-Request Id 239 from STAGING:46303 to HOME:2083 length 137


on HOME
(0) tls_recv: Access-Request packet from host STAGING port 46303, 
id=239, length=137
(0) <running>: Received Access-Request Id 239 from STAGING:46303 to 
HOME:2083 length 137
(0) Sent Access-Reject Id 239 from HOME:2083 to STAGING:46303 length 49

And then on STAGING:
"Ignoring spoofed proxy reply.  Signature is invalid"

10 seconds later:
(0) No proxy response, giving up on request and marking it done
(0) ERROR: Failing proxied request for user "radtest at testrealm.de", due 
to lack of any response from home server HOME port 2083



I have poked around with gdb on the staging server a bit.
Within rad_verify() at the point of calc_replydigest() we get to the 
point of
"Received %s packet from home server %s port %d with invalid Response 
Authenticator! (Shared secret is incorrect.)",
(did not appear anywhere in the Debug Output).


Does anyone have an idea what the problem could be?



Regards and Thanks
Susan


-- 
S.Barnes
Cologne University IT/Networking Dept.

More information about the Freeradius-Users mailing list