[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: FreeRADIUS CoA Proxy [invalid Message-Authenticator] in response
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2023-10-31 22:03:23
Message-ID: 2CF3058C-D85A-4C7E-A7AB-F57DA804CA17 () deployingradius ! com
[Download RAW message or body]

On Oct 31, 2023, at 4:45 PM, Alexander Shulgin <alexs20@gmail.com> wrote:
> As you suggested I ran the server with -Xxxx flag and radclient with -xxx
> While it increased the debug level of the server, it did not change the
> output of the radclient.
> So i went forward and ran radsniff on both sides
> Attached are server2.txt (server log), radclient2.txt (radclient
> log), radsniff_client2.txt (radsniff output for the client)
> and radsniff_server2.txt (radsniff output for the server)
> 
> From what I see the final message from the server has exactly the same
> values as on client side, which means nothing changing the packet

  Hmm... that's weird.

  Looking at the server debug output in more detail, the issue is that the home \
server is sending Message-Authenticator in the Disconnect-ACK.  And the proxy is \
copying it back to the client unchanged.

  The proxy should instead calculate the correct value for Message-Authenticator when \
replying to the client.

  I've pushed a fix to the v3.2.x  and v3.0.x branches.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]