a problem about radius and digest
Hi!
I am using radius to authenticate request from the radiusclient-ng2 with the
digest method.
I have a strange situation because client log the following problem:
received invalid reply digest from RADIUS server
This is strange because as I read on web this error is due to wrong secrets
configuration.
I checked a few times and secrets are the same I even tried to reinstall both
freeradius and libradiusclient-ng2. Please help me and point what could be a
reason for this??
here is my radius debug (maybe will help):
rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198,
length=300
User-Name = [EMAIL PROTECTED]
Digest-Attributes = 0x0a0968656c6c626f79
Digest-Attributes = 0x010e766f69702e746f756b2e706c
Digest-Attributes =
0x022a34356264656531363664353437333838393736323162356564343730383331323661316461636633
Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c
Digest-Attributes = 0x0308494e56495445
Digest-Attributes = 0x050661757468
Digest-Attributes = 0x090a3030303030303031
Digest-Attributes =
0x0822363946443538313637443542464636463130463336374645394343313839
Digest-Response = 2c8b62ee23ac6cbe4a551b8b698a509c
Service-Type = 0x000f
SER-Service-Type = 0x0003
SER-Uri-User = hellboy
NAS-Port = 0x13c4
NAS-IP-Address = 0x7f01
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/detail-200701'
rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/detail-%Y%m expands
to /var/log/radiusd/radacct/127.0.0.1/detail-200701
radius_xlat: 'Mon Jan 29 13:47:38 2007'
modcall[authorize]: module detail returns ok for request 1
radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/auth-detail-200701'
rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/auth-detail-%Y%m
expands to /var/log/radiusd/radacct/127.0.0.1/auth-detail-200701
radius_xlat: 'Mon Jan 29 13:47:38 2007'
modcall[authorize]: module auth_log returns ok for request 1
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module digest returns ok for request 1
users: Matched entry [EMAIL PROTECTED] at line 3
radius_xlat: '[EMAIL PROTECTED]'
modcall[authorize]: module files returns ok for request 1
modcall[authorize]: module expiration returns noop for request 1
modcall[authorize]: module logintime returns noop for request 1
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module pap returns noop for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type DIGEST
auth: type Digest
Processing the authenticate section of radiusd.conf
modcall: entering group Digest for request 1
rlm_digest: Converting Digest-Attributes to something sane...
Digest-User-Name = hellboy
Digest-Realm = voip.touk.pl
Digest-Nonce = 45bdee166d54738897621b5ed47083126a1dacf3
Digest-URI = sip:[EMAIL PROTECTED]
Digest-Method = INVITE
Digest-QOP = auth
Digest-Nonce-Count = 0001
Digest-CNonce = 69FD58167D5BFF6F10F367FE9CC18339
A1 = hellboy:voip.touk.pl:hellboy
A2 = INVITE:sip:[EMAIL PROTECTED]
H(A1) = a383a13215180e1f7d2fc755c99af602
H(A2) = 429a8006b569afff5cd5fe2a50024c56
KD =
a383a13215180e1f7d2fc755c99af602:45bdee166d54738897621b5ed47083126a1dacf3:0001:69FD58167D5BFF6F10F367FE9CC18339:auth:429a8006b569afff5cd5fe2a50024c56
EXPECTED 2c8b62ee23ac6cbe4a551b8b698a509c
RECEIVED 2c8b62ee23ac6cbe4a551b8b698a509c
modcall[authenticate]: module digest returns ok for request 1
modcall: group Digest returns ok for request 1
Login OK: [EMAIL PROTECTED]/via Auth-Type = DIGEST] (from client localhost
port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 1
radius_xlat: '/var/log/radiusd/radacct/127.0.0.1/reply-detail-200701'
rlm_detail: /var/log/radiusd/radacct/%{Client-IP-Address}/reply-detail-%Y%m
expands to /var/log/radiusd/radacct/127.0.0.1/reply-detail-200701
radius_xlat: 'Mon Jan 29 13:47:38 2007'
modcall[post-auth]: module reply_log returns ok for request 1
modcall: group post-auth returns ok for request 1
Sending Access-Accept of id 198 to 127.0.0.1 port 32894
SER-UID = [EMAIL PROTECTED]
Reply-Message = Authenticated
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 198 with timestamp 45bdecea
Nothing to do. Sleeping until we see a request.
Bests
Tomasz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
tzieleniewski wrote: Hi!! I am runnig Debian etch release OS on the 64 bit CPU below is the detailed CPU information: So... the libradiusclient code isn't 64-bit clean. It needs to be fixed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
On Mon 29 Jan 2007 17:22, Alan DeKok wrote: tzieleniewski wrote: I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: received invalid reply digest from RADIUS server This is strange because as I read on web this error is due to wrong secrets configuration. Yes. The shared secrets are wrong, or there is some miscalculation of the reply digest. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? Which OS are you running on? Is it 64-bit? What CPU? The libradiusclient code MAY be doing MD5 incorrectly. here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = [EMAIL PROTECTED] Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a343562646565313636643534373338383937363231623565643437303833313236 61316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = 2c8b62ee23ac6cbe4a551b8b698a509c Service-Type = 0x000f That looks like a bug in libradiusclient. The Service-Type attribute should be 4 bytes of data, not 8. SER-Service-Type = 0x0003 SER-Uri-User = hellboy NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Again, the NAS-Port NAS-IP-Address attributes should be 4 bytes of data, not 8. This makes me suspect you're running on a 64-bit system, and that the libradiusclient code isn't 64-bit clean. Yes. I _think_ that this is the bug that chris fixed in freeradius-client 2 days ago. Try using a current snapshot of freeradius-client instead of radiusclient-ng and see if the problem is solved. Here is a link: ftp://ftp.suntel.com.tr/pub/freeradius/snapshots/freeradius-client-snapshot-20070129.tar.bz2 A patch I wrote to make OpenSER use freeradius-client instead of radiusclient-ng is at: https://sourceforge.net/tracker/?func=detailatid=743022aid=1631052group_id=139143 If you run SER instead of OpenSER you may have to fiddle with the patch slightly.. A modified version of the patch has been applied to openser cvs. (See the comments for details) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpfatKorxwTk.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a problem about radius and digest
Peter Nixon napisał(a): On Mon 29 Jan 2007 17:22, Alan DeKok wrote: tzieleniewski wrote: I am using radius to authenticate request from the radiusclient-ng2 with the digest method. I have a strange situation because client log the following problem: "received invalid reply digest from RADIUS server" This is strange because as I read on web this error is due to wrong secrets configuration. Yes. The shared secrets are wrong, or there is some miscalculation of the reply digest. I checked a few times and secrets are the same I even tried to reinstall both freeradius and libradiusclient-ng2. Please help me and point what could be a reason for this?? Which OS are you running on? Is it 64-bit? What CPU? The libradiusclient code MAY be doing MD5 incorrectly. here is my radius debug (maybe will help): rad_recv: Access-Request packet from host 127.0.0.1 port 32894, id=198, length=300 User-Name = "[EMAIL PROTECTED]" Digest-Attributes = 0x0a0968656c6c626f79 Digest-Attributes = 0x010e766f69702e746f756b2e706c Digest-Attributes = 0x022a343562646565313636643534373338383937363231623565643437303833313236 61316461636633 Digest-Attributes = 0x04187369703a746f6d697840766f69702e746f756b2e706c Digest-Attributes = 0x0308494e56495445 Digest-Attributes = 0x050661757468 Digest-Attributes = 0x090a3030303030303031 Digest-Attributes = 0x0822363946443538313637443542464636463130463336374645394343313839 Digest-Response = "2c8b62ee23ac6cbe4a551b8b698a509c" Service-Type = 0x000f That looks like a bug in libradiusclient. The Service-Type attribute should be 4 bytes of data, not 8. SER-Service-Type = 0x0003 SER-Uri-User = "hellboy" NAS-Port = 0x13c4 NAS-IP-Address = 0x7f01 Again, the NAS-Port NAS-IP-Address attributes should be 4 bytes of data, not 8. This makes me suspect you're running on a 64-bit system, and that the libradiusclient code isn't 64-bit clean. Yes. I _think_ that this is the bug that chris fixed in freeradius-client 2 days ago. Try using a current snapshot of freeradius-client instead of radiusclient-ng and see if the problem is solved. Here is a link: ftp://ftp.suntel.com.tr/pub/freeradius/snapshots/freeradius-client-snapshot-20070129.tar.bz2 A patch I wrote to make OpenSER use freeradius-client instead of radiusclient-ng is at: https://sourceforge.net/tracker/?func=detailatid=743022aid=1631052group_id=139143 If you run SER instead of OpenSER you may have to fiddle with the patch slightly.. A modified version of the patch has been applied to openser cvs. (See the comments for details) Cheers Thank you ! I 've never worked with OpenSer and I have never tried to apply a patch to SER. Could you point me some resources where I can get some more understanding what such patch is and how to apply it ? I read the comments and from them I understood that what I need to do is install FreeRadius Client, because the problem considers client side, and then intergrete ser/openser to use this client. And this is what I don't know exactly how to achieve please help me with this issue. bests -tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
