Francois, FWIW, I read other freeradius forums regarding 64bit platforms (Which I'm using) where some versions fails to correctly calculate the md5 checksum.
I wonder if this is the issue. -----Original Message----- From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] Sent: Monday, October 22, 2012 11:19 AM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator I still continue to believe a wrong shared secret. Do you have special chars in your secret? On 2012-10-22 11:49 AM, Thomas Tsai wrote: > Bump. > > Thomas Tsai, CISSP > Sr. Systems Engineer > Canyon Partners, LLC > tt...@canyonpartners.com > +1.310.272.1746 (o) > +1.310.600.6651 (c) > > > *From*: Thomas Tsai [mailto:tt...@canyonpartners.com] > *Sent*: Friday, October 19, 2012 11:04 AM > *To*: 'packetfence-users@lists.sourceforge.net' > <packetfence-users@lists.sourceforge.net> > *Subject*: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > Invalid RADIUS message authenticator > > Cisco has issued me a firmware 7.2.110.10 that has fixed the > deauthentication issue on their WLC. This was tested using a third > party client, called radtest (v2.6) and has been tested to be working now. > > This is what happens now: > > 1) laptop connects via WIFI to a SSID managed through PF (radius). > > 2) laptop is thrown into PF registration network > > 3) Upon successful portal registration, PF attempts to send deauth > request to WLC > > 4) WLC receives deauth request, but rejects with the following error: > > *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request > Authenticator(recv'd) - > *31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a* > > *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request > Authenticator(calc'd) - > *8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44* > > *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid RADIUS > message authenticator > > *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid message > authenticator received in 'RFC-3576 Disconnect-Request' from > <PACKETFENCE IP> > > I have triple checked that my radius key in clients.conf on the PF > server matches the key in WLC. (It does since I can do the initial > authentication onto the network.) > > But the authenticator is incorrect. Any suggestions? This is a very > odd behavior. > > -----Original Message----- > From: Thomas Tsai > Sent: Friday, October 05, 2012 4:53 PM > To: 'packetfence-users@lists.sourceforge.net' > Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > Invalid RADIUS message authenticator > > Update: It's enabled, but it isn't working. > > I took packetfence out of the mix, and assumed it was the WLC, so I > went to hunt for a way to test COA/Deauth on a WLC5500. > > https://supportforums.cisco.com/docs/DOC-8473 > > Here is an article to a PDF document describing how to do this, with > radtest 2.6. > > Will provide updates as they are avail. > > -----Original Message----- > > From: Thomas Tsai > > Sent: Friday, October 05, 2012 4:14 PM > > To: 'packetfence-users@lists.sourceforge.net' > > Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > Invalid RADIUS message authenticator > > Hi David. Thx for chiming in here. Yes, by default it's enabled, > but I just went back in to double check -- it's enabled. > > -----Original Message----- > > From: Bulanda, Dave G [mailto:dgbula...@indianatech.edu] > <mailto:[mailto:dgbula...@indianatech.edu]> > > Sent: Friday, October 05, 2012 1:48 PM > > To: 'packetfence-users@lists.sourceforge.net' > > Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > Invalid RADIUS message authenticator > > Thomas, > > Is your WLC set to use RFC 3576? I believe when that is not enabled > that is the message that the WLC returns when you send the COA/DeAuth. > > David Bulanda > > Network Services Manager > > dgbula...@indianatech.edu <mailto:dgbula...@indianatech.edu> > > Indiana Tech > > -----Original Message----- > > From: Thomas Tsai [mailto:tt...@canyonpartners.com] > <mailto:[mailto:tt...@canyonpartners.com]> > > Sent: Friday, October 05, 2012 3:39 PM > > To: 'packetfence-users@lists.sourceforge.net' > > Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > Invalid RADIUS message authenticator > > I'm a little lost - how can this be a radius shared secret issue if > the WLC can contact the freeradius2 server to perform the initial > authentication, but then fail during deauth? Are these settings > separate from one another? IT does not seem like they would be. > > -----Original Message----- > > From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] > <mailto:[mailto:fgaudrea...@inverse.ca]> > > Sent: Friday, October 05, 2012 12:19 PM > > To: packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > > Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > Invalid RADIUS message authenticator > > Well this is a shared secret issue, so make sure they are right... > > sometimes there is a trailing character at the end. > > If you run in HA, make sure the VIP is listed in the AAA server list > on your WLC. > > On 2012-10-05 2:52 PM, Thomas Tsai wrote: > > > Bump - can anyone offer any suggestions as to how to troubleshoot > this > > > particular problem? > > > > > > *From:*Thomas Tsai [mailto:tt...@canyonpartners.com] > <mailto:[mailto:tt...@canyonpartners.com]> > > > *Sent:* Thursday, October 04, 2012 7:11 PM > > > *To:* 'packetfence-users@lists.sourceforge.net' > > > *Subject:* [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - > > > Invalid RADIUS message authenticator > > > > > > When packetfence attempts to deauth/COA via radius on a WLC, the > > > following error appears on the WLC: *Invalid RADIUS message > > > authenticator* > > > > > > A quick search yields some wisdom that Olivier provided with > someone > > > with a remote similar issue. > > > > > > > http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908 > > > > > > I have confirmed that I am running firmware 7.2.110.0 on the WLC, > so > > > this should work. (Radius Disconnect) > > > > > > I spot the issue below, but I am uncertain why the message > > > authenticator is invalid. Am I doing something wrong? > > > > > > *_PACKETFENCE.LOG:_* > > > > > > *__* > > > > > > Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is > currentlog > > > connected at <WLC IP> ifIndex 13 in VLAN REG_VLAN > > > (pf::enforcement::_should_we_reassign_vlan) > > > > > > Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? > > > 1 > > > -- value = (pf::vlan::custom::getNormalVlan) > > > > > > Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID: > > > username, Status: reg. Returned VLAN: NORMAL_VLAN > > > (pf::vlan::fetchVlanForNode) > > > > > > Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required > for > > > 00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN > > > NORMAL_VLAN) (pf::enforcement::_should_we_reassign_vlan) > > > > > > Oct 04 18:37:39 register.cgi(0) INFO: switch port for > > > 00:88:10:88:59:88 is <WLC IP> ifIndex 13 connection type: WiFi > 802.1X > > > (pf::enforcement::_vlan_reevaluation) > > > > > > Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a > wireless > > > 802.1x user, this might not work depending on hardware support. If > its > > > your case please file a bug (pf::enforcement::_vlan_reevaluation) > > > > > > Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 > on > > > registration page > > > > (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_r > > > egister_2ecgi::handler) > > > > > > Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 > > > requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). > > > Modified node with last_dhcp = 2012-10-04 18:37:40,computername = > > > LAPTOPNAME,dhcp_fingerprint = > 1,15,3,6,44,46,47,31,33,121,249,252,43 > > > (main::listen_dhcp) > > > > > > Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254 > > > (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 > > > seconds > > > (main::parse_dhcp_ack) > > > > > > Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for > switch > > > <WLC IP> (main::parseTrap) > > > > > > Oct 04 18:37:42 pfsetvlan(1) INFO: nb of items in queue: 1; nb of > > > threads running: 0 (main::startTrapHandlers) > > > > > > Oct 04 18:37:42 pfsetvlan(1) INFO: desAssociate trap received on > <WLC > > > IP> for wireless client 00:88:10:88:59:88 (main::handleTrap) > > > > > > Oct 04 18:37:42 pfcmd_vlan(26918) INFO: wireless deauthentication > of a > > > 802.1x MAC (main::) > > > > > > Oct 04 18:37:50 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 > > > requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). > > > Modified node with last_dhcp = 2012-10-04 18:37:50,computername = > > > LAPTOPNAME,dhcp_fingerprint = > 1,15,3,6,44,46,47,31,33,121,249,252,43 > > > (main::listen_dhcp) > > > > > > Oct 04 18:37:50 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254 > > > (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 > > > seconds > > > (main::parse_dhcp_ack) > > > > > > *Oct 04 18:37:52 pfcmd_vlan(26918) WARN: Unable to perform RADIUS > > > Disconnect-Request: Timeout waiting for a reply from <WLC IP> on > port > > > 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160. > > > (pf::SNMP::__ANON__)* > > > > > > *Oct 04 18:37:52 pfcmd_vlan(26918) ERROR: Wrong RADIUS secret or > > > unreachable network device... (pf::SNMP::__ANON__)* > > > > > > Oct 04 18:37:52 pfsetvlan(1) INFO: finished > (main::cleanupAfterThread) > > > > > > *_WLC5508 radius debug log:_* > > > > > > *radiusTransportThread: Oct 05 02:05:02.680: ****Enter > > > processIncomingMessages: response code=5 > > > > > > *radiusTransportThread: Oct 05 02:05:02.680: ****Enter > > > processRadiusResponse: response code=5 > > > > > > *radiusTransportThread: Oct 05 02:05:02.680: 00:27:10:41:59:60 > > > Accounting-Response received from RADIUS server <PACKETFENCE IP> > for > > > mobile 00:88:10:88:59:88 receiveId = 0 > > > > > > **radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid RADIUS > > > message authenticator* > > > > > > **radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid > message > > > authenticator received in 'RFC-3576 Disconnect-Request' from > > > <PACKETFENCE IP>* > > > > > > > > > > > > ********************************************** > > > > > > Email Disclaimer: > > > > > > > > > > > > This email, including attachments, may contain > > > > > > proprietary, confidential or privileged information. If you > > > > > > are not the intended recipient, please (i) do not use, > > > > > > disclose, save or retransmit this message or any > > > > > > attachments, (ii) alert the sender by reply email and (iii) > > > > > > destroy or delete this message and any attachments. > > > > > > Delivery of this email to a person other than the intended > > > > > > recipient(s) shall not constitute a waiver of privilege or > > > > > > confidentiality. > > > > > > > > > > > > CP Investments, member FINRA and SIPC, serves as > > > > > > placement agent for investment products advised by > > > > > > Canyon Capital Advisors LLC. This email is not intended to > > > > > > be an offer to sell or a solicitation of an offer to buy any > > > > > > security in any jurisdiction. We review and retain > > > > > > electronic communications traveling through our network. > > > > > > > > > > > > ********************************************** > > > > > > > > > > > > > ---------------------------------------------------------------------- > > > -------- Don't let slow site performance ruin your business. Deploy > > > New Relic APM Deploy New Relic app performance management and know > > > exactly what is happening inside your Ruby, Python, PHP, Java, and > > > .NET app Try New Relic at no cost today and get our sweet Data Nerd > > > shirt too! > > > http://p.sf.net/sfu/newrelic-dev2dev > > > > > > > > > > > > _______________________________________________ > > > PacketFence-users mailing list > > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > -- > > Francois Gaudreault, ing. jr > > fgaudrea...@inverse.ca <mailto:fgaudrea...@inverse.ca> :: > +1.514.447.4918 (x130) :: www.inverse.ca <http://www.inverse.ca> > +Inverse > inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and > PacketFence > > (www.packetfence.org <http://www.packetfence.org>) > > ---------------------------------------------------------------------- > -------- > > Don't let slow site performance ruin your business. Deploy New Relic > APM Deploy New Relic app performance management and know exactly what > is happening inside your Ruby, Python, PHP, Java, and .NET app Try New > Relic at no cost today and get our sweet Data Nerd shirt too! > > http://p.sf.net/sfu/newrelic-dev2dev > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ---------------------------------------------------------------------- > -------- > > Don't let slow site performance ruin your business. Deploy New Relic > APM Deploy New Relic app performance management and know exactly what > is happening inside your Ruby, Python, PHP, Java, and .NET app Try New > Relic at no cost today and get our sweet Data Nerd shirt too! > > http://p.sf.net/sfu/newrelic-dev2dev > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ---------------------------------------------------------------------- > -------- > > Don't let slow site performance ruin your business. Deploy New Relic > APM Deploy New Relic app performance management and know exactly what > is happening inside your Ruby, Python, PHP, Java, and .NET app Try New > Relic at no cost today and get our sweet Data Nerd shirt too! > > http://p.sf.net/sfu/newrelic-dev2dev > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > ---------------------------------------------------------------------- > -------- Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics Lite > for free today: > http://p.sf.net/sfu/appdyn_sfd2d_oct > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users