Yet another shared secret mismatch issue

Herwin Weststrate herwin at quarantainenet.nl
Thu Jul 12 09:25:25 CEST 2018


On 12-07-18 08:59, Alberto Martínez Setién via Freeradius-Users wrote:
> Hi all,
> 
> I'm trying to configure hardware (MAC) auth using FreeRADIUS.
> It works nice with another provider, but on this new one seems to do shared
> secret signing wrong.
> 
> Fri Jul  6 08:37:40 2018 : Info: Ready to process requests
> Fri Jul  6 08:37:50 2018 : Debug: (0) Received Access-Request Id 4 from
> 10.70.8.199:44611 to 172.16.250.2:8812 length 271
> Fri Jul  6 08:37:50 2018 : Info: Dropping packet without response because
> of error: Received packet from 10.70.8.199 with invalid
> Message-Authenticator!  (Shared secret is incorrect.)
> 
> (....)
> 
> 
> I have no doubt that FR does the right thing, and I'm sure that this is not
> a "maybe you didn't input the same secret in both places" issue. This is
> either a hardcoded secret (not their first time) or a bad implementation.
> 
> They deny any wrongdoing on their part.
> 
> I intend to prove that they are doing RADIUS secret wrong and have locate
> the fr_radius_verify function.
> 
> My questions are:
> Can I brute force the secret somehow?
> Can I make my point to them somehow else?

https://wifiphil.blogspot.com/2015/12/troubleshooting-decrypt-radius-packets.html

You could use that to decrypt the User-Password attribute. If it turn
out like garbage it probably used a different shared secret than you
configured.


-- 
Herwin Weststrate


More information about the Freeradius-Users mailing list