Hi. I've downloaded, compiled and installed FR 1.0.5, but I'm still
receiving the same results. the packet is discarded because of an invalid
Message-Authenticator.
This is part of the output (IP address hidden) for a "radclient" with "-s"
and "-x" options
rad_recv: Accounting-Response packet from host **, id=83, length=38
rad_decode: Received packet from ** with invalid Message-Authenticator!
(Shared secret is incorrect.)
radclient: radclient.c:440: send_one_packet: Assertion `radclient->reply ==
((void *)0)' failed.
Aborted
Should I modify something at the config to let the Message Authenticator get
handled correctly?
Also, from a TCPDump I don't see any "Message Authenticator" in the
Accounting-Request constructed by Radclient. I only see "Message
Authenticator" in the "Accounting-Response" packet constructed by Cisco ACS
and received (and discarded) by FR.
Date: Fri, 19 Aug 2005 15:09:23 -0400
From: "Alan DeKok" <[EMAIL PROTECTED]>
Subject: Re: FR with MySQL. Proxying and repeated entries
To: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]>
"Paolo Rotela" <[EMAIL PROTECTED]> wrote:
With this one, Access-* packets go OK, but when the NAS (Cisco AS5300)
sends
an Accounting-Request to that realm and I proxy it to the home server, it
sends me an Accounting-Response with an (I think) irregular attribute:
Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in
the
RFC for accounting packets.
The IETF RADIUS extensions working group has a document which
proposes fixes to a number of issues like this.
1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT
permitted in Accounting-* packets?
I don't think it's specifically permitted, but it shouldn't be a problem.
2) Each time the NAS re-sends packets, FR handles it as it were a new
packet, for a new call/connection.
The RFC's say that's what the NAS is supposed to do. So for
FreeRADIUS, it looks like a new connection.
3) Is there any known bug or propietary feature from Cisco wich causes
this
incompatibility thing? I've searched about it and didn't find anything.
No. It's a bug in FreeRADIUS.
I'll put a patch into 1.0.5 that should fix it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html