Re: Accounting-Response with invalid signature
Hi Alan, Thanks for your explanation. Do you know when will it happen ? Rio 2007/5/25, Alan Dekok [EMAIL PROTECTED]: Rio Yang wrote: I got the following message from my radius.log. Wed May 23 16:39:11 2007 : Error: Received Accounting-Response packet from 172.16.1.1:1813 with invalid signature (err=2)! (Shared secret is incorrect.) Wed May 23 16:39:11 2007 : Error: Reply from home server 172.16.1.1:1813 - ID: 180 arrived too late for request 2515449. Try increasing 'retry_delay' or 'max_request_time' This happens sometimes in versions before 1.1.5. Upgrade. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Rio Yang wrote: Thanks for your explanation. Do you know when will it happen ? When what will happen? I said it happens in 1.1.5, and you should upgrade. 1.1.6 has been out for a while, as the main web page makes clear (if you read it). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Rio Yang wrote: I got the following message from my radius.log. Wed May 23 16:39:11 2007 : Error: Received Accounting-Response packet from 172.16.1.1:1813 with invalid signature (err=2)! (Shared secret is incorrect.) Wed May 23 16:39:11 2007 : Error: Reply from home server 172.16.1.1:1813 - ID: 180 arrived too late for request 2515449. Try increasing 'retry_delay' or 'max_request_time' This happens sometimes in versions before 1.1.5. Upgrade. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response with invalid signature
Hi All, I got the following message from my radius.log. Wed May 23 16:39:11 2007 : Error: Received Accounting-Response packet from 172.16.1.1:1813 with invalid signature (err=2)! (Shared secret is incorrect.) Wed May 23 16:39:11 2007 : Error: Reply from home server 172.16.1.1:1813 - ID: 180 arrived too late for request 2515449. Try increasing 'retry_delay' or 'max_request_time' It caused some problem on accounting record . The secret between NAS and RADIUS are the same. But the log tell me the secret is incorrect at Accounting-Response. Do anybody know what's the main cause and how to fix it ? PS. NAS and Radius are in the same subnet without any firewall. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Hi Rio, what type of NAS are you using? I've experienced similar behaviour with nocat software. The problem was that the NAS did not generate correct packet signature according to rfc. I have a simple patch to freeradius to bypass checking of signature of accounting packets. Although the correct way is to fix your NAS to create the signature according to rfc. Anyway I can send you the patch for testing if needed. Regards Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Hi Milan, Sorry~ I don't describ my architecture more detail. NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. In my thinking, there is no secret error in Accounting-Request why I got the secret error in Accounting-Response. Rio 2007/5/23, Milan Holub [EMAIL PROTECTED]: Hi Rio, what type of NAS are you using? I've experienced similar behaviour with nocat software. The problem was that the NAS did not generate correct packet signature according to rfc. I have a simple patch to freeradius to bypass checking of signature of accounting packets. Although the correct way is to fix your NAS to create the signature according to rfc. Anyway I can send you the patch for testing if needed. Regards Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
On 23/05/07, Rio Yang [EMAIL PROTECTED] wrote: NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. But then you need to set the same shared secret on the FreeRadius server and the JuniperSBR, nothing to do with the NAS. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
I have checked all secrets and they are the same. Not all Accounting-Response with invalid signature. This error message occurred in sometime. It's a very strange. Rio 2007/5/23, Alex French [EMAIL PROTECTED]: On 23/05/07, Rio Yang [EMAIL PROTECTED] wrote: NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. But then you need to set the same shared secret on the FreeRadius server and the JuniperSBR, nothing to do with the NAS. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
