[Jradius] JRadius Proxy mangles User-Password

Murray Long murray at skyrove.com
Thu Aug 19 13:11:13 UTC 2010


Hi David, Jradius LIst,

After further testing I'm doubting this is a shared secret problem:

If I intentionally send the wrong shared secret from client-->Jradius,
Jradius gives me and error saying:
"Bad RadSec tunnel shared secret, set to radsec"

If I intentionally set the wrong shared secret for the Jradius-->freeradius
connection, freeradius gives me an error saying:
"Received packet from 127.0.0.1 with invalid Message-Authenticator!  (Shared
secret is incorrect.) Dropping packet without response."

If I use the correct shared secrets on both sides, I get no error messages,
only garbled passwords.

Is there any way to get Jradius to log packets before it proxys them? So I
can at least isolate the problem to the client-->jradius connection or the
jradius-->freeradius one.

Many Thanks,
Murray

On Thu, Aug 19, 2010 at 8:21 AM, wlanmac <wlan at mac.com> wrote:

> Hello,
>
> The User-Password is always encoded ("encrypted") with the shared secret
> on the wire. Changes are that there is a shared secret mix up
> somewhere.
>
> David
>
>
> On Wed, 2010-08-18 at 17:31 +0200, Murray Long wrote:
> > Hi Everyone,
> >
> > I'm trying to set up JRadius to accept Radsec connections and proxy
> > them onto freeradius.
> >
> > I've set up jardius as described on coova.org, and it seems to work
> > well, except the User-Password is encrypted by the time it reaches
> > freeradius
> >
> > I get the following reported on the freeradius side:
> >
> >     User-Name = "testuser"
> >     User-Password = "\212\230\306\310\313}\010\231\257\211F\237.l
> > \365JJ\2173\240b\367\215+ҵu\177=\237\304\001"
> >
> > My NAS is sending plaintext passwords so I'm pretty sure Jradius is
> > mangling the User-Password somehow.
> >
> > Does anyone know why this would be happening and how to prevent it?
> >
> > I did notice "dictionary.rfc2865" had a line:
> > User-Password                2    string encrypt=1
> > but setting encrypt=0 dosn't seem to make a difference.
> >
> > Thanks,
> > Murray
> >
> >
> >
> >
> >
> > _______________________________________________
> > Jradius mailing list
> > Jradius at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/jradius
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/jradius/attachments/20100819/dc9d940f/attachment.htm>


More information about the Jradius mailing list