Re: FR with MySQL. Proxying and repeated entries

2005-09-12 Thread Paolo Rotela 
Hi. I've downloaded, compiled and installed FR 1.0.5, but I'm still 
receiving the same results. the packet is discarded because of an invalid 
Message-Authenticator.


This is part of the output (IP address hidden) for a "radclient" with "-s" 
and "-x" options


rad_recv: Accounting-Response packet from host **, id=83, length=38
rad_decode: Received packet from ** with invalid Message-Authenticator! 
(Shared secret is incorrect.)
radclient: radclient.c:440: send_one_packet: Assertion `radclient->reply == 
((void *)0)' failed.

Aborted

Should I modify something at the config to let the Message Authenticator get 
handled correctly?


Also, from a TCPDump I don't see any "Message Authenticator" in the 
Accounting-Request constructed by Radclient. I only see "Message 
Authenticator" in the "Accounting-Response" packet constructed by Cisco ACS 
and received (and discarded) by FR.


Date: Fri, 19 Aug 2005 15:09:23 -0400
From: "Alan DeKok" <[EMAIL PROTECTED]>
Subject: Re: FR with MySQL. Proxying and repeated entries
To: FreeRadius users mailing list

Message-ID: <[EMAIL PROTECTED]>

"Paolo Rotela" <[EMAIL PROTECTED]> wrote:
With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) 
sends

an Accounting-Request to that realm and I proxy it to the home server, it
sends me an Accounting-Response with an (I think) irregular attribute:
Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in 
the

RFC for accounting packets.


 The IETF RADIUS extensions working group has a document which
proposes fixes to a number of issues like this.


1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT
permitted in Accounting-* packets?


 I don't think it's specifically permitted, but it shouldn't be a problem.


2) Each time the NAS re-sends packets, FR handles it as it were a new
packet, for a new call/connection.


 The RFC's say that's what the NAS is supposed to do.  So for
FreeRADIUS, it looks like a new connection.

3) Is there any known bug or propietary feature from Cisco wich causes 
this

incompatibility thing? I've searched about it and didn't find anything.


 No.  It's a bug in FreeRADIUS.

 I'll put a patch into 1.0.5 that should fix it.

 Alan DeKok. 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR with MySQL. Proxying and repeated entries

2005-08-19 Thread Alan DeKok 
"Paolo Rotela" <[EMAIL PROTECTED]> wrote:
> With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) sends 
> an Accounting-Request to that realm and I proxy it to the home server, it 
> sends me an Accounting-Response with an (I think) irregular attribute: 
> Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in the 
> RFC for accounting packets.

  The IETF RADIUS extensions working group has a document which
proposes fixes to a number of issues like this.

> 1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT 
> permitted in Accounting-* packets?

  I don't think it's specifically permitted, but it shouldn't be a problem.

> 2) Each time the NAS re-sends packets, FR handles it as it were a new 
> packet, for a new call/connection.

  The RFC's say that's what the NAS is supposed to do.  So for
FreeRADIUS, it looks like a new connection.

> 3) Is there any known bug or propietary feature from Cisco wich causes this 
> incompatibility thing? I've searched about it and didn't find anything.

  No.  It's a bug in FreeRADIUS.

  I'll put a patch into 1.0.5 that should fix it.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html