FreeRADIUS CoA Proxy [invalid Message-Authenticator] in response

Alan DeKok aland at deployingradius.com
Tue Oct 31 19:51:04 UTC 2023


On Oct 31, 2023, at 3:35 PM, Alexander Shulgin <alexs20 at gmail.com> wrote:
> 
> I am trying to configure the coa proxy in latest Radius docker image 3.2.3.
> 
> I have defined a client with a proper shared secret (message initiator) and
> also defined a home server with a shared secret (message destination). When
> I send the CoA message I see in debug that the radius server is proxying
> the request, the NAS at destination receiving it, it responds back to the
> radius server and then the radius server forwards that message back to the
> initiator.

  That's good.  The Disconnect-Request packet is signed with the shared secret, so the server verifies it before processing the packet.

> The problem is when I receive the final message from the radius
> server it has invalid message-authenticator.

  Something is modifying the packet in transit.

  Run the server with -Xxxx (one of the few times this is necessary).  It should print out the Disconnect-Request packet as hex.

  Run "radsniff" one the client, and it will print out the hex version of the packet it received.

  If they're different, then something is mangling the reply before radclient sees it.

  If the packets are the same, then something extremely weird is going on.

  Alan DeKok.



More information about the Freeradius-Users mailing list