Hi all, I've been unable to have a standalone 1602i successfully accept CoA packets from packetfence in order to have sessions re-authenticate, with an error indicating that the message authenticator was missing or incorrect. Debug aaa coa from the WAP: *Mar 1 00:28:42.582: RADIUS: COA received from id 138 172.31.1.39:42734, CoA Request, len 83 *Mar 1 00:28:42.582: COA: 172.31.1.39 request queued *Mar 1 00:28:42.582: RADIUS: authenticator 39 BE 21 0E A2 FF 4C E2 - 92 7A 81 80 7A EC 96 E0 *Mar 1 00:28:42.582: RADIUS: Calling-Station-Id [31] 16 "cc3d.82bd.592a" *Mar 1 00:28:42.582: RADIUS: NAS-IP-Address [4] 6 172.31.1.57 *Mar 1 00:28:42.582: RADIUS: Vendor, Cisco [26] 41 *Mar 1 00:28:42.582: RADIUS: Cisco AVpair [1] 35 "subscriber:command=reauthenticate" *Mar 1 00:28:42.582: COA: Message Authenticator missing or failed decode
*Mar 1 00:28:42.582: ++++++ CoA Attribute List ++++++ *Mar 1 00:28:42.582: 05D63794 0 00000081 formatted-clid(37) 14 cc3d.82bd.592a *Mar 1 00:28:42.582: 05D638A4 0 00000001 nas-ip-address(600) 4 172.31.1.57 *Mar 1 00:28:42.582: 05D638D8 0 00000081 ssg-command-code(490) 1 32 *Mar 1 00:28:42.582: *Mar 1 00:28:42.582: COA: Added NACK Error Cause: Success *Mar 1 00:28:42.582: COA: Sending NAK from port 3799 to 172.31.1.39/42734 *Mar 1 00:28:42.582: RADIUS: 101 6 000000C8 The erorr seems identical to this post from a week or so ago, although in that instance, Henning is using wired authentication on a switch. https://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg10522.html I could replicate the same issue using radclient, and can confirm that even manually adding the message authenticator option did not help. root@packetfence:/usr/local/pf# echo -e "Calling-Station-Id=\"cc3d.82bd.592a\"\nNAS-IP-Address=\"172.31.1.57\"\nCisco-AVpair = \"subscriber:command=reauthenticate\"\nMessage-Authenticator = 0x00 "| radclient 172.31.1.57 coa useStrongerSecret Received response ID 239, code 45, length = 44 Error-Cause = 200 Message-Authenticator = 0xee6af846e751d999b67b45332f4627ab Changing the module to use a Disconnect-Request instead of CoA worked. Does anyone have any ideas as to why the CoA would not be working? Thanks, Andrew ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
