LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-02-2008, 07:35 AM   #1
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Rep: Reputation: 17
Radius invalid signature problem


I have several devices on my network that support radius accounting (not authentication) and I'm trying to get them up and running with freeradius.

I have freeradius installed on ubuntu 8.04 (hardy) server edition from the repos and have added the NAS's to the clients.conf file with the correct shared secret. However, when I run freeradius in debug, I get this:

Code:
Waking up in 4 seconds...
rad_recv: Accounting-Request packet from host 172.16.16.9:30665, id=232, length=103
Received Accounting-Request packet from 172.16.16.9 with invalid signature!  (Shared secret is incorrect.) Dropping packet without response.
Finished request 18
Going to the next request
Waking up in 4 seconds...
I know the shared secret is the same and I've tried multiple ones in case the NAS didn't like mixed case or numerics in the string, but I get the same error.

Any ideas on what could be causing this or how to further troubleshoot? The docs for the NAS are really crappy and don't offer any help. The server is 32 bit machine, so it's not the 64 bit MD5 bug.
 
Old 12-03-2008, 02:34 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
Well it's hard to not belive such a common and reliable message. I'd use a thirs party test tool to simulate the client side and use the same details. then you'll have much better feeling over it being your NAS or the radius server. freeradius contains some test tools and there are many others via google.
 
Old 12-03-2008, 08:25 AM   #3
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Original Poster
Rep: Reputation: 17
Okay, I tested out the server from another client.

I have these two clients in my clients.conf file:

Code:
client 172.16.16.9 {
        secret          = *****
        shortname       = CMTS
}

client 172.16.24.7 {
        secret          = *****
        shortname       = TestClient
}
Where the CMTS is the device giving me issues and the TestClient is another linux server. Both secrets are the same.

From the Test Client, I ran this command:

Code:
 echo "User-Name = NULL" | radclient 172.16.0.6 acct *******
and got this dumped from the radius server in debug mode:

Code:
rad_recv: Accounting-Request packet from host 172.16.24.7:50047, id=12, length=26
        User-Name = "NULL"
  Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0
  modcall[preacct]: module "preprocess" returns noop for request 0
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 172.16.24.7,NAS-IP-Address = 172.16.24.7,,User-Name = "NULL"'
rlm_acct_unique: Acct-Unique-Session-ID = "ee27e5925db68631".
  modcall[preacct]: module "acct_unique" returns ok for request 0
    rlm_realm: No '@' in User-Name = "NULL", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[preacct]: module "suffix" returns noop for request 0
  modcall[preacct]: module "files" returns noop for request 0
modcall: leaving group preacct (returns ok) for request 0
  Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 0
radius_xlat:  '/var/log/freeradius/radacct/172.16.24.7/detail-20081203'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/172.16.24.7/detail-20081203
  modcall[accounting]: module "detail" returns ok for request 0
rlm_unix: no Accounting-Status-Type attribute in request.
  modcall[accounting]: module "unix" returns noop for request 0
rlm_radutmp: No Accounting-Status-Type record.
  modcall[accounting]: module "radutmp" returns noop for request 0
modcall: leaving group accounting (returns ok) for request 0
Sending Accounting-Response of id 12 to 172.16.24.7 port 50047
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
tcpdump shows the request packet as:
Code:
09:17:46.247854 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto UDP (17), length 54) 172.16.24.7.42823 > 172.16.0.6.radius-acct: [udp sum ok] RADIUS, length: 26
        Accounting Request (4), id: 0x11, Authenticator: 427f359ad4a11528fb908d3bd2921e72
          Username Attribute (1), length: 6, Value: NULL
            0x0000:  4e55 4c4c
When I examine the packet sent by the CMTS, this is what I see:
Code:
09:17:08.336730 IP (tos 0x0, ttl 61, id 54638, offset 0, flags [none], proto UDP (17), length 131) 172.16.16.9.30666 > 172.16.0.6.radius-acct: RADIUS, length: 103
        Accounting Request (4), id: 0x8b, Authenticator: 17038b4fac47e2d996b78c912fd18370
          Accounting Status Attribute (40), length: 6, Value: Stop
            0x0000:  0000 0002
          NAS IP Address Attribute (4), length: 6, Value: 172.16.16.9
            0x0000:  ac10 1009
          Accounting Input Octets Attribute (42), length: 6, Value: 629
            0x0000:  0000 0275
          Accounting Output Octets Attribute (43), length: 6, Value: 645
            0x0000:  0000 0285
          Accounting Input Packets Attribute (47), length: 6, Value: 5
            0x0000:  0000 0005
          Accounting Output Packets Attribute (48), length: 6, Value:  [|radius]
            0x0000:  0000 [|radius]
Any thoughts? Like I mentioned, I know the secrets are the same, unless the CMTS is adding funky extra characters or screwing up the hash somehow.

I'm going to call their engineer later today, but I just want to make sure it's not something stupidly simple on my end first.

Last edited by vortmax; 12-03-2008 at 08:27 AM.
 
Old 12-03-2008, 08:35 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
well the secret seems to have been accepted, can't see anything explicitly saying that though. Is you secret complex? some systems might have issues with intermediate storge of special characters. certianly had me in the past.
 
Old 12-03-2008, 08:52 AM   #5
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Original Poster
Rep: Reputation: 17
I've tried many different secrets thinking that it might not like special chars. The one I'm testing with right now is 8 lowercase letters with no spaces.

Is there a way to calculate what the authenticator hash should be for a given secret?
 
Old 12-03-2008, 01:58 PM   #6
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Original Poster
Rep: Reputation: 17
with the help of the engineer, I figured it out. Apparently there is a bug in the hashing engine on the device such that only the default secret will work. This fact, and the mandatory shared secret were stripped from the docs after he wrote them.
 
Old 12-03-2008, 02:03 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
OK, and you paid money for this product? and you're getting it all back and going back to the market, right?
 
Old 12-03-2008, 02:28 PM   #8
vortmax
Member
 
Registered: Nov 2005
Posts: 91

Original Poster
Rep: Reputation: 17
haha I wish. There is no market for CMTS's in the class we run in. The big Cisco's and Motorola's are a solid 10 grand more expensive and massively overpowered for what we do. I actually feel luck to have these ones. At least it's quirks are only in non-critical services. The ones we used to use we so unstable you'd swear they were running the i-mac os.
 
Old 12-03-2008, 02:39 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975Reputation: 1975
oh yeah a CMTS... wake up CCNA... fair do's
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Invalid Partition Table on /dev/sda - Wrong Signature 0 ulasergin Fedora - Installation 1 06-30-2005 12:59 AM
SuSE update: RPM has invalid signature skunkcabbage SUSE / openSUSE 2 05-18-2005 11:52 AM
Invalid Signature ??? ddrfreak Mandriva 8 12-12-2004 11:04 AM
gaim v.79 for mdk 10: do u get an error message saying signature invalid? webazoid Linux - Software 0 07-04-2004 12:21 AM
Linux troubles.. Invalid boot signature iceaway Linux - General 2 05-09-2004 04:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration