Home server secret mismatch

Miloslav Hůla miloslav.hula at gmail.com
Mon Apr 6 23:45:59 CEST 2020 

Hello,

I'm trying to setup proxy for one realm. I hope everything is configured 
well because I can see outgoing packets.

I'm using current Debian 10.3 with FreeRADIUS 3.0.17+dfsg-1.1.

My FreeRADIUS server is 147.32.s.s. RADIUS home server is 147.32.h.h 
(different oraganisation, I can't see the home server log).


When I try to reach home server by radtest from my server, I get accept:


# radtest milo at org.tld passwd123 147.32.h.h 0 homesecret

Sent Access-Request Id 82 from 0.0.0.0:45346 to 147.32.h.h:1812 length 86
         User-Name = "milo at org.tld"
         User-Password = "passwd123"
         NAS-IP-Address = 147.32.s.s
         NAS-Port = 0
         Message-Authenticator = 0x00
         Cleartext-Password = "passwd123"
Received Access-Accept Id 82 from 147.32.h.h:1812 to 147.32.s.s:45346 
length 80
         Chargeable-User-Identity = 0x.........
         User-Name = "milo at org.tld"

When I capture these packets by tcpdump and opens them by wireshark and 
when I set "homesecret" in RADIUS protocol setting, I can see well 
decrypted password.



But when I try radtest via my server, home server does not respond.

# radtest milo at org.tld passwd123 localhost 0 homesecret

Sent Access-Request Id 151 from 0.0.0.0:41144 to 127.0.0.1:1812 length 86
         User-Name = "milo at org.tld"
         User-Password = "passwd123"
         NAS-IP-Address = 147.32.s.s
         NAS-Port = 0
         Message-Authenticator = 0x00
         Cleartext-Password = "passwd123"
Received Access-Reject Id 151 from 127.0.0.1:1812 to 127.0.0.1:41144 
length 20
(0) -: Expected Access-Accept got Access-Reject

When I capture this packet and open it by wireshark, I can see all AVPs, 
correct User-Name, correct NAS-IP-Address, plus Proxy-State and so on 
but User-Password is not well decrypted (contains many control 
characters). I think it is a reason that home server does not respond at 
all.

The freeradius -X output contains:
ERROR: Failing proxied request for user "milo at org.tld", due to lack of 
any response from home server 147.32.h.h port 1812

I'm using default configuration, only I added:

- secret in clients.conf to "homesecret"
- in proxy.conf
home_server radius1.org {
     type = auth
     ipaddr = 147.32.h.h
     port = 1812
     #proto = udp
     secret = homesecret
     response_window = 5  # default 20
     zombie_period = 40
     revive_interval = 120

     status_check = status-server
     check_interval = 30
     check_timeout = 4
     num_answers_to_alive = 3
     max_outstanding = 65536
}

home_server_pool org {
     type = load-balance
     home_server = radius1.org
}

realm org.tld {
     auth_pool = org
     nostrip
}


Thank you for any hint.
Milo

More information about the Freeradius-Users mailing list