rlm_digest failing after upgrade from 2.1.12 to 2.2.5
Daniel Pocock
daniel at pocock.pro
Thu Oct 29 14:41:42 CET 2015
On 22/10/15 17:49, Alan DeKok wrote:
> On Oct 22, 2015, at 11:25 AM, Daniel Pocock <daniel at pocock.pro> wrote:
>> The shared secret was not changed when upgrading the system from Debian
>> wheezy to jessie. We compared the client and server configs and the
>> secret appears to be the same in both. It had all been working fine for
>> quite some time. If nobody has seen anything like this before, I'll try
>> adding some more logging code or running it in a debugger.
>
> <shrug>
>
> a) the shared secret is wrong on the client
>
> b) the shared secret is wrong on the server
>
> c) the client calculates the packet signature incorrectly
>
> d) the server calculates the packet signature incorrectly
>
> Pick one.
>
> You can always run radclient from the client machine, too. That would give you another test.
>
Some more observations:
- we had the password in the radius-servers file. If we put the
password on the authserver line in the radius-config file instead, then
everything works again. E.g. we change from:
authserver some-server
to
authserver some-server:1812:<secret>
- I also tried using radcli instead of freeradius-client. radcli logs a
syslog error about not being able to read the radius-servers file
Nothing had been changed in these files, the permissions were fine for
the process to read them too. I haven't had time to step through it
with a debugger or strace to see what goes wrong when it tries to access
the radius-servers file. It is good that radcli warns about the real
problem earlier on, as the errors from freeradius-client come much too late.
More information about the Freeradius-Users
mailing list