FreeRADIUS CoA Proxy [invalid Message-Authenticator] in response
Alan DeKok
aland at deployingradius.com
Tue Oct 31 19:52:47 UTC 2023
Or just run
radclient -xxx ...
and that will print out the hex packet, too.
> On Oct 31, 2023, at 3:51 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Oct 31, 2023, at 3:35 PM, Alexander Shulgin <alexs20 at gmail.com> wrote:
>>
>> I am trying to configure the coa proxy in latest Radius docker image 3.2.3.
>>
>> I have defined a client with a proper shared secret (message initiator) and
>> also defined a home server with a shared secret (message destination). When
>> I send the CoA message I see in debug that the radius server is proxying
>> the request, the NAS at destination receiving it, it responds back to the
>> radius server and then the radius server forwards that message back to the
>> initiator.
>
> That's good. The Disconnect-Request packet is signed with the shared secret, so the server verifies it before processing the packet.
>
>> The problem is when I receive the final message from the radius
>> server it has invalid message-authenticator.
>
> Something is modifying the packet in transit.
>
> Run the server with -Xxxx (one of the few times this is necessary). It should print out the Disconnect-Request packet as hex.
>
> Run "radsniff" one the client, and it will print out the hex version of the packet it received.
>
> If they're different, then something is mangling the reply before radclient sees it.
>
> If the packets are the same, then something extremely weird is going on.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list