FreeRADIUS CoA Proxy [invalid Message-Authenticator] in response

Alan DeKok aland at deployingradius.com
Tue Oct 31 22:03:23 UTC 2023


On Oct 31, 2023, at 4:45 PM, Alexander Shulgin <alexs20 at gmail.com> wrote:
> As you suggested I ran the server with -Xxxx flag and radclient with -xxx
> While it increased the debug level of the server, it did not change the
> output of the radclient.
> So i went forward and ran radsniff on both sides
> Attached are server2.txt (server log), radclient2.txt (radclient
> log), radsniff_client2.txt (radsniff output for the client)
> and radsniff_server2.txt (radsniff output for the server)
> 
> From what I see the final message from the server has exactly the same
> values as on client side, which means nothing changing the packet

  Hmm... that's weird.

  Looking at the server debug output in more detail, the issue is that the home server is sending Message-Authenticator in the Disconnect-ACK.  And the proxy is copying it back to the client unchanged.

  The proxy should instead calculate the correct value for Message-Authenticator when replying to the client.

  I've pushed a fix to the v3.2.x  and v3.0.x branches.

  Alan DeKok.



More information about the Freeradius-Users mailing list