a problem about radius and digest
Hi! I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: received invalid reply digest from RADIUS server This is strange because as I read on web this error is due to wrong secrets configuration. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a34356264656531363664353437333838393736323162356564343730383331323661316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = 2c8b62ee23ac6cbe4a551b8b698a509c Service-Type = 0x000f SER-Service-Type = 0x0003 SER-Uri-User = hellboy NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/detail-200701' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/detail-%Y%m expands to /var/log/radiusd/radacct/127.0.0.1/detail-200701 radius_xlat: 'Mon Jan 29 13:47:38 2007' modcall[authorize]: module detail returns ok for request 1 radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/auth-detail-200701' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m expands to /var/log/radiusd/radacct/127.0.0.1/auth-detail-200701 radius_xlat: 'Mon Jan 29 13:47:38 2007' modcall[authorize]: module auth_log returns ok for request 1 rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module digest returns ok for request 1 users: Matched entry [EMAIL PROTECTED] at line 3 radius_xlat: '[EMAIL PROTECTED]' modcall[authorize]: module files returns ok for request 1 modcall[authorize]: module expiration returns noop for request 1 modcall[authorize]: module logintime returns noop for request 1 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type DIGEST auth: type Digest Processing the authenticate section of radiusd.conf modcall: entering group Digest for request 1 rlm_digest: Converting Digest-Attributes to something sane... Digest-User-Name = hellboy Digest-Realm = voip.touk.pl Digest-Nonce = 45bdee166d54738897621b5ed47083126a1dacf3 Digest-URI = sip:[EMAIL PROTECTED] Digest-Method = INVITE Digest-QOP = auth Digest-Nonce-Count = 0001 Digest-CNonce = 69FD58167D5BFF6F10F367FE9CC18339 A1 = hellboy:voip.touk.pl:hellboy A2 = INVITE:sip:[EMAIL PROTECTED] H(A1) = a383a13215180e1f7d2fc755c99af602 H(A2) = 429a8006b569afff5cd5fe2a50024c56 KD = a383a13215180e1f7d2fc755c99af602:45bdee166d54738897621b5ed47083126a1dacf3:0001:69FD58167D5BFF6F10F367FE9CC18339:auth:429a8006b569afff5cd5fe2a50024c56 EXPECTED 2c8b62ee23ac6cbe4a551b8b698a509c RECEIVED 2c8b62ee23ac6cbe4a551b8b698a509c modcall[authenticate]: module digest returns ok for request 1 modcall: group Digest returns ok for request 1 Login OK: [EMAIL PROTECTED]/via Auth-Type = DIGEST] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 1 radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/reply-detail-200701' rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m expands to /var/log/radiusd/radacct/127.0.0.1/reply-detail-200701 radius_xlat: 'Mon Jan 29 13:47:38 2007' modcall[post-auth]: module reply_log returns ok for request 1 modcall: group post-auth returns ok for request 1 Sending Access-Accept of id 198 to 127.0.0.1 port 32894 SER-UID = [EMAIL PROTECTED] Reply-Message = Authenticated Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 198 with timestamp 45bdecea Nothing to do. Sleeping until we see a request. Bests Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
tzieleniewski wrote: Hi!! I am runnig Debian etch release OS on the 64 bit CPU below is the detailed CPU information: So... the libradiusclient code isn't 64-bit clean. It needs to be fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
On Mon 29 Jan 2007 17:22, Alan DeKok wrote: tzieleniewski wrote: I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: received invalid reply digest from RADIUS server This is strange because as I read on web this error is due to wrong secrets configuration. Yes. The shared secrets are wrong, or there is some miscalculation of the reply digest. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? Which OS are you running on? Is it 64-bit? What CPU? The libradiusclient code MAY be doing MD5 incorrectly. here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a343562646565313636643534373338383937363231623565643437303833313236 61316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = 2c8b62ee23ac6cbe4a551b8b698a509c Service-Type = 0x000f That looks like a bug in libradiusclient. The Service-Type attribute should be 4 bytes of data, not 8. SER-Service-Type = 0x0003 SER-Uri-User = hellboy NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Again, the NAS-Port NAS-IP-Address attributes should be 4 bytes of data, not 8. This makes me suspect you're running on a 64-bit system, and that the libradiusclient code isn't 64-bit clean. Yes. I _think_ that this is the bug that chris fixed in freeradius-client 2 days ago. Try using a current snapshot of freeradius-client instead of radiusclient-ng and see if the problem is solved. Here is a link: ftp://ftp.suntel.com.tr/pub/freeradius/snapshots/freeradius-client-snapshot-20070129.tar.bz2 A patch I wrote to make OpenSER use freeradius-client instead of radiusclient-ng is at: https://sourceforge.net/tracker/?func=detailatid=743022aid=1631052group_id=139143 If you run SER instead of OpenSER you may have to fiddle with the patch slightly.. A modified version of the patch has been applied to openser cvs. (See the comments for details) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpfatKorxwTk.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
Peter Nixon napisał(a): On Mon 29 Jan 2007 17:22, Alan DeKok wrote: tzieleniewski wrote: I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: "received invalid reply digest from RADIUS server" This is strange because as I read on web this error is due to wrong secrets configuration. Yes. The shared secrets are wrong, or there is some miscalculation of the reply digest. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? Which OS are you running on? Is it 64-bit? What CPU? The libradiusclient code MAY be doing MD5 incorrectly. here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = "[EMAIL PROTECTED]" Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a343562646565313636643534373338383937363231623565643437303833313236 61316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = "2c8b62ee23ac6cbe4a551b8b698a509c" Service-Type = 0x000f That looks like a bug in libradiusclient. The Service-Type attribute should be 4 bytes of data, not 8. SER-Service-Type = 0x0003 SER-Uri-User = "hellboy" NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Again, the NAS-Port NAS-IP-Address attributes should be 4 bytes of data, not 8. This makes me suspect you're running on a 64-bit system, and that the libradiusclient code isn't 64-bit clean. Yes. I _think_ that this is the bug that chris fixed in freeradius-client 2 days ago. Try using a current snapshot of freeradius-client instead of radiusclient-ng and see if the problem is solved. Here is a link: ftp://ftp.suntel.com.tr/pub/freeradius/snapshots/freeradius-client-snapshot-20070129.tar.bz2 A patch I wrote to make OpenSER use freeradius-client instead of radiusclient-ng is at: https://sourceforge.net/tracker/?func=detailatid=743022aid=1631052group_id=139143 If you run SER instead of OpenSER you may have to fiddle with the patch slightly.. A modified version of the patch has been applied to openser cvs. (See the comments for details) Cheers Thank you ! I 've never worked with OpenSer and I have never tried to apply a patch to SER. Could you point me some resources where I can get some more understanding what such patch is and how to apply it ? I read the comments and from them I understood that what I need to do is install FreeRadius Client, because the problem considers client side, and then intergrete ser/openser to use this client. And this is what I don't know exactly how to achieve please help me with this issue. bests -tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html