rlm_digest failing after upgrade from 2.1.12 to 2.2.5

Daniel Pocock daniel at pocock.pro
Thu Oct 29 14:41:42 CET 2015

On 22/10/15 17:49, Alan DeKok wrote:
> On Oct 22, 2015, at 11:25 AM, Daniel Pocock <daniel at pocock.pro> wrote:
>> The shared secret was not changed when upgrading the system from Debian
>> wheezy to jessie.  We compared the client and server configs and the
>> secret appears to be the same in both.  It had all been working fine for
>> quite some time.  If nobody has seen anything like this before, I'll try
>> adding some more logging code or running it in a debugger.
>   <shrug>
> a) the shared secret is wrong on the client
> b) the shared secret is wrong on the server
> c) the client calculates the packet signature incorrectly
> d) the server calculates the packet signature incorrectly
>   Pick one.
>   You can always run radclient from the client machine, too.  That would give you another test.

Some more observations:

- we had the password in the radius-servers file.  If we put the
password on the authserver line in the radius-config file instead, then
everything works again.  E.g. we change from:

    authserver some-server


    authserver some-server:1812:<secret>

- I also tried using radcli instead of freeradius-client.  radcli logs a
syslog error about not being able to read the radius-servers file

Nothing had been changed in these files, the permissions were fine for
the process to read them too.  I haven't had time to step through it
with a debugger or strace to see what goes wrong when it tries to access
the radius-servers file.  It is good that radcli warns about the real
problem earlier on, as the errors from freeradius-client come much too late.

More information about the Freeradius-Users mailing list