• lapin
  • New member
  • Offline
  • From: Lausanne
  • Registered: 2009-09-09
  • Posts: 7

Topic: invalid Message-Authenticator

Hi,

I'm trying to setup chillispot 1.0-10 on a Ubuntu 9.04 server, with freeradius 2.1.0, and I'm experiencing communication problems between Chilli and Freeradius.

I'm sure about my radiussecret in the chilli.conf and in the freeradius clients.conf. I have experienced many different secrets, and I always receive this message from freeradius (run in debug mode, as well as chilli daemon) :
-----------------------------
Wed Sep  9 12:48:00 2009 : Error: Received packet from 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.
-----------------------------
If i run a "radtest" test, the server answers correctly with a Access-Accept request.

I have a tried with a few accounts configured in either Mysql radcheck table and plain file "users", i have always the same error. I checked with the other "hotspotlogin.php" script instead of the "hotspotlogin.cgi", no better result.
Now I just run wireshark to capture some paquets and there is something different in the radius paquets sent from radtest than from chilli.

Here is the frame which is accepted (with radtest):
=================================
No.     Time        Source                Destination           Protocol Info
    268 3.750178    127.0.0.1             127.0.0.1             RADIUS   Access-Request(1) (id=118, l=62)

Frame 268 (104 bytes on wire, 104 bytes captured)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
User Datagram Protocol, Src Port: 51483 (51483), Dst Port: radius (1812)
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x76 (118)
    Length: 62
    Authenticator: F111473F0D933103A3EC7880F2E65FBD
    [The response to this request is in frame 269]
    Attribute Value Pairs
        AVP: l=12  t=User-Name(1): chillispot
        AVP: l=18  t=User-Password(2): Encrypted
        AVP: l=6  t=NAS-IP-Address(4): 192.168.182.1
        AVP: l=6  t=NAS-Port(5): 0
------------------------------------------------------
and here is the frame that is sent from chilli and that freeradius refuse :

No.     Time        Source                Destination           Protocol Info
   1008 30.626386   127.0.0.1             127.0.0.1             RADIUS   Access-Request(1) (id=0, l=201)

Frame 1008 (243 bytes on wire, 243 bytes captured)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
User Datagram Protocol, Src Port: 35931 (35931), Dst Port: radius (1812)
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x0 (0)
    Length: 201
    Authenticator: E61C4FB477F4DB4994BE5560B08C2FA4
    Attribute Value Pairs
        AVP: l=12  t=User-Name(1): chillispot
        AVP: l=18  t=User-Password(2): Encrypted
        AVP: l=6  t=NAS-IP-Address(4): 127.0.0.1
        AVP: l=6  t=Service-Type(6): Login-User(1)
        AVP: l=6  t=Framed-IP-Address(8): 192.168.182.3
        AVP: l=19  t=Calling-Station-Id(31): 00-08-02-E8-89-36
        AVP: l=19  t=Called-Station-Id(30): 00-11-43-D3-79-69
        AVP: l=7  t=NAS-Identifier(32): nas01
        AVP: l=18  t=Acct-Session-Id(44): 4aa77c2f00000000
        AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=6  t=NAS-Port(5): 0
        AVP: l=18  t=Message-Authenticator(80): 156DCCEF000000000000000000000000
        AVP: l=40  t=Vendor-Specific(26) v=WISPr(14122)

here is my freeradius clients.conf:
--------------
client 127.0.0.1 {
    secret = *********
    shortname = localhost
    nastype = other
        #require_message_authenticator = no
}
-------------------------
I have spent hours on that project, and i'm sure chillispot is perfect for that, but there should be something really weird in my config ...

Help please !

  • lapin
  • New member
  • Offline
  • From: Lausanne
  • Registered: 2009-09-09
  • Posts: 7

Re: invalid Message-Authenticator

Of course it has been triple checked, and put back to easy readable password to be sure there is no typo. Both uamsecret and radiussecret.

I even got the source and compiled myself a version of chilli, and I've got exactly the same error still. Pretty disappointed.

  • lapin
  • New member
  • Offline
  • From: Lausanne
  • Registered: 2009-09-09
  • Posts: 7

Re: invalid Message-Authenticator

Both Chilli and freeradius are on debug mode on the console, foreground.

The only message I get in the freeradius console is immediately that :
---------
Wed Sep  9 12:48:00 2009 : Error: Received packet from 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.
---------

repeated a few times.

regards

  • lapin
  • New member
  • Offline
  • From: Lausanne
  • Registered: 2009-09-09
  • Posts: 7

Re: invalid Message-Authenticator

I was following this howto (and the related for different versions of Ubuntu).

Yesterday, after having enough, I started again from scratch : reinstalled Ubuntu 8.04 LTS server (instead of 9.04 server), reinstalled all packages, configured.

Now I have exactly the same errors, but the difference is that now I'm running freeradius 1.1.7 instead of 2.0 ; and the problem with the invalid Message-Authenticator is still there.

Is there any special content in the radius database that I have ? I have that currently :
records only in the radcheck table, like this :

id UserName Attribute           op   Value
4 lapin         Auth-Type         :=    Local
5 lapin         User-Password   ==   pass123

All other tables are empty (nas, radgroupcheck among others)

Any comment ?

  • lapin
  • New member
  • Offline
  • From: Lausanne
  • Registered: 2009-09-09
  • Posts: 7

Re: invalid Message-Authenticator

mmmmh I begin to have a doubt ...

I'm using a 64 bits version of Ubuntu, and I notice that in my Wireshark capture, all paquets sent by chilli have a message-authentificator that have only zeros after the 1st 8 bytes, like :

Message-Authenticator: DF09B19E000000000000000000000000

When the one sent by radclient (radtest calls it) have something like :

Message-Authenticator: 9A67B23A03BDC920A49E0F59413023B8

Do you think what I think ?
Couldn't it be a bug of chilli when compiled on 64 bits systems ? seems there is an overflow or something and the Message-authenticator is truncated to 6 bytes ?

  • lapin
  • New member
  • Offline
  • From: Lausanne
  • Registered: 2009-09-09
  • Posts: 7

Re: invalid Message-Authenticator

seems it's getting closer :

http://www.chillispot.info/chilliforum/viewtopic.php?id=349

yes !

  • lapin
  • New member
  • Offline
  • From: Lausanne
  • Registered: 2009-09-09
  • Posts: 7

Re: invalid Message-Authenticator

Just to close the subject, I reinstalled a server with the 32 bits version of Ubuntu server, and now it's working.

The bug is confirmed and I submittted a bug on Ubuntu

8 Reply by ChrisBrad51 (edited by ChrisBrad51 2012-12-19 20:18:07)

  • Registered: 2010-07-31
  • Posts: 2

Re: invalid Message-Authenticator

usually most of the time I was faced with error in 64-bit version OS.  Day by day is getting crucial problem on Ubuntu server..

Even lots of different linux. So that still today that problem with me.



Any suggestion will be appreciated......

Thanks
Chrisbad

9 Reply by louya062 (edited by louya062 2015-07-06 03:08:35)

  • Registered: 2015-07-01
  • Posts: 3

Re: invalid Message-Authenticator

well...I begin to have a doubt  film protection sony xperia z3