On Mon, Oct 22, 2012 at 06:50:57PM +0000, Thomas Tsai wrote: > I think I found the smoking gun. It's a problem with freeradius. > > I am using FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built > on Jun 22 2012 at 11:13:32, which was included with latest PF distribution. > > Per http://freeradius.org/ , v2.20 fixes the following BUG: > > *Correct calculation of Message-Authenticator for CoA and Disconnect replies. > Patch from Jouni Malinen
That only changes the calculation of the authenticator for *replies*, i.e. PW_DISCONNECT_ACK, PW_DISCONNECT_NAK, PW_COA_ACK, PW_COA_NAK and therefore AFAICS this would only affect things if you were sending a CoA request *to* a FreeRADIUS server, and FreeRADIUS were sending back the respoinse. If you had not put any shared secret into switches.conf, then I'm pretty sure that radclient would have been unable to send the CoA packet with the right secret. At best it would have signed it with an empty secret. > Can I upgrade radius v2.20 without breaking PF? Or is that something you > guys need to review? (You mean 2.2.0) It was posted to this list a few days ago that you could, so by all means go ahead, but I don't think that's your problem. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
