Radius DAS won't work

Robert Plestenjak robert.plestenjak at xlab.si
Fri Feb 7 06:44:34 EST 2014


Thanks for response. Shared secret "supersecret" is same on both sides, Freeradius is 2.1.12 (CentOS 6).

DAS: Received 52 bytes from 172.16.93.117:41409
RADIUS message: code=40 (Disconnect-Request) identifier=40 length=52
   Attribute 44 (Acct-Session-Id) length=19
      Value: '52F4B5D1-00000000'
   Attribute 1 (User-Name) length=7
      Value: 'janez'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 172.16.117.235
DAS: Unsupported attribute 4 in Disconnect-Request from 172.16.93.117:41409
DAS: Reply to 172.16.93.117:41409
RADIUS message: code=42 (Disconnect-NAK) identifier=40 length=50
   Attribute 101 (Error-Cause) length=6
      Value: 401
   Attribute 55 (Event-Timestamp) length=6
      Value: 1391769189
   Attribute 80 (Message-Authenticator) length=18
      Value: e1 b8 ce 44 85 6e 79 c0 30 5c 81 86 fd 87 3a f5


Now, if I get this right, NAS receives Disconnect-Request and it complains that it doesn't support attribute 4 (Accounting-Request). Then it sends response NAK and error, attribute 101 with value 401 (unsuported attribute).


Sending Disconnect-Request of id 40 to 172.16.117.235 port 3799
	Acct-Session-Id = "52F4B5D1-00000000"
	User-Name = "janez"
	NAS-IP-Address = 172.16.117.235
rad_recv: Disconnect-NAK packet from host 172.16.117.235 port 3799, id=40, length=50
rad_verify: Received packet from 172.16.117.235 with invalid Message-Authenticator!  (Shared secret is incorrect.)
radclient: no response from server for ID 40 socket 3


On Freeradius side we see that disconnect requst was send, NAK received and after that it fails verifying Message-Authenticator response.

- Robert

----- Original Message -----
From: "Alan DeKok" <aland at deployingradius.com>
To: "Robert Plestenjak" <robert.plestenjak at xlab.si>
Cc: hostap at lists.shmoo.com
Sent: Thursday, February 6, 2014 7:56:55 PM
Subject: Re: Radius DAS won't work

Robert Plestenjak wrote:
> When I send disconnect message, I get this:
> 
> # cat ~/packet.txt | radclient -x 172.16.117.235:3799 disconnect supersecret
> Sending Disconnect-Request of id 224 to 172.16.117.235 port 3799
> 	Acct-Session-Id = "52F38076-00000003"
> 	User-Name = "janez"
> 	NAS-IP-Address = 172.16.117.235
> rad_recv: Disconnect-NAK packet from host 172.16.117.235 port 3799, id=224, length=50
> rad_verify: Received packet from 172.16.117.235 with invalid Message-Authenticator!  (Shared secret is incorrect.)

  If you're running a very old version of FreeRADIUS, it might have a
bug which gets the Message-Authenticator wrong for disconnect packets.
Try upgrading to the latest version.

  But barring that, if it says the shared secret is wrong, it's because
the shared secret is wrong.

  Alan DeKok.


More information about the HostAP mailing list