Radius DAS won't work

Jouni Malinen j at w1.fi
Wed Feb 19 06:58:29 EST 2014

On Fri, Feb 07, 2014 at 12:44:34PM +0100, Robert Plestenjak wrote:
> DAS: Received 52 bytes from
> RADIUS message: code=40 (Disconnect-Request) identifier=40 length=52
>    Attribute 44 (Acct-Session-Id) length=19
>       Value: '52F4B5D1-00000000'
>    Attribute 1 (User-Name) length=7
>       Value: 'janez'
>    Attribute 4 (NAS-IP-Address) length=6
>       Value:
> DAS: Unsupported attribute 4 in Disconnect-Request from

> Now, if I get this right, NAS receives Disconnect-Request and it complains that it doesn't support attribute 4 (Accounting-Request). Then it sends response NAK and error, attribute 101 with value 401 (unsuported attribute).

That's an attribute, not code.. In other words, attribute 4 is
NAS-IP-Address. hostapd does not currently support identification of the
NAS based on attributes (it doesn't make much sense to do that since
hostapd is not a proxy and Disconnect-Request sent to its IP address is
already identifying the target). Based on RFC 5176, any unsupported
attribute in the request will result in Disconnect-NAK with error code
401. In other words, you would need to drop that NAS-IP-Address from the
Disconnect-Request for now.

I understand that the RADIUS proxy would likely end up forwarding all
the attributes, so it would make sense to add support in hostapd at
least for NAS-IP-Address (and NAS-IPv6-Address) and maybe NAS-Identifier
as well, since it is also mentioned in the RFC, so that the proxy case
would work as well.

> rad_verify: Received packet from with invalid Message-Authenticator!  (Shared secret is incorrect.)
> radclient: no response from server for ID 40 socket 3
> On Freeradius side we see that disconnect requst was send, NAK received and after that it fails verifying Message-Authenticator response.

I don't remember in which version this was fixed, but I'd assume you'll
see this go away by updating to the latest FreeRADIUS release.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list