Home server secret mismatch

Alan DeKok aland at deployingradius.com
Mon Apr 6 23:51:56 CEST 2020 

On Apr 6, 2020, at 5:45 PM, Miloslav Hůla <miloslav.hula at gmail.com> wrote:
> I'm trying to setup proxy for one realm. I hope everything is configured well because I can see outgoing packets.

  That's good, but not enough.

> I'm using current Debian 10.3 with FreeRADIUS 3.0.17+dfsg-1.1.
> 
> My FreeRADIUS server is 147.32.s.s. RADIUS home server is 147.32.h.h (different oraganisation, I can't see the home server log).

  OK.

> When I try to reach home server by radtest from my server, I get accept:
> 
> # radtest milo at org.tld passwd123 147.32.h.h 0 homesecret
> 
> Sent Access-Request Id 82 from 0.0.0.0:45346 to 147.32.h.h:1812 length 86
>        User-Name = "milo at org.tld"
>        User-Password = "passwd123"
>        NAS-IP-Address = 147.32.s.s
>        NAS-Port = 0
>        Message-Authenticator = 0x00
>        Cleartext-Password = "passwd123"
> Received Access-Accept Id 82 from 147.32.h.h:1812 to 147.32.s.s:45346 length 80
>        Chargeable-User-Identity = 0x.........
>        User-Name = "milo at org.tld"

  Good.

> When I capture these packets by tcpdump and opens them by wireshark and when I set "homesecret" in RADIUS protocol setting, I can see well decrypted password.

  That means it's working.

> But when I try radtest via my server, home server does not respond.
> 
> # radtest milo at org.tld passwd123 localhost 0 homesecret
> 
> Sent Access-Request Id 151 from 0.0.0.0:41144 to 127.0.0.1:1812 length 86
>        User-Name = "milo at org.tld"
>        User-Password = "passwd123"
>        NAS-IP-Address = 147.32.s.s
>        NAS-Port = 0
>        Message-Authenticator = 0x00
>        Cleartext-Password = "passwd123"
> Received Access-Reject Id 151 from 127.0.0.1:1812 to 127.0.0.1:41144 length 20
> (0) -: Expected Access-Accept got Access-Reject

  PLEASE read the documentation.  This shouldn't be difficult.

http://lists.freeradius.org/list-help

  It is absolutely useless to read the "radclient" output when you're trying to debug the server.

  Read the SERVER output.  The debug output.  As suggested in the "man" page, web pages, and all of the documentation.

> When I capture this packet and open it by wireshark, I can see all AVPs, correct User-Name, correct NAS-IP-Address, plus Proxy-State and so on but User-Password is not well decrypted (contains many control characters). I think it is a reason that home server does not respond at all.

  Yes.

  The secret for the home server in proxy.conf is wrong.  There is very little else that will cause this issue.

  Alan DeKok.

More information about the Freeradius-Users mailing list