1

I am learning how to use freeradius, the version is v2.1.12. When I run radtest, there is no response from server, I see server side debug message has the following:

Received packet from 127.0.0.1 with invalid Message-Authenticator!  (Shared secret is incorrect.) Dropping packet without response.

Here is radtest command: radtest -x selftest password 127.0.0.1 0 secret

Here is my edit of /etc/freeradius/clients.conf:

client selftest {
     ipaddr = 127.0.0.1
     secret = secret
}

Here is my edit of /etc/freeradius/users:

selftest Cleartext-Password := "password"

Here is the full output from radtest:

radtest -x selftest password 127.0.0.1 0 secret
Sending Access-Request of id 238 to 127.0.0.1 port 1812
        User-Name = "selftest"
        User-Password = "password"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000

Do you see what is wrong?

[UPDATE] Thanks arran-cudbard-bell, I change to "testing123", it is better, it got reject, but this is better.

Indeed I made some changes in /etc/hosts which could be the reason, it is like this:

127.0.0.1 localhost     <== pre-existed
127.0.0.1 selftest      <== my edit

The reason I add the line is, without it, I cannot even run radtest, I get this error:

# radtest -x -t pap localhost password 127.0.0.1 0 testing123
radclient:: Failed to find IP address for test-server
radclient: Nothing to send.

You know how to solve it?

my_question
  • 111
  • 1
  • 1
  • 3

2 Answers2

1

It's probably not loading the right clients.conf or you have another definition for 127.0.0.1.

Try using testing123 which is the default for the localhost client definition. If it works, you know the problem is a pre-existing definition.

Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
0

I wrote an article explaining how the shared secret works and what this means.

The root cause for "shared secret is incorrect" and "WARNING: unprintable characters in password" is the same, and is unambiguous: The shared secret on the RADIUS server and the NAS are not the same.

However, there can be some confusion because, depending on what information RADIUS receives in the packet header, you will see either the error message or the warning.

There are also several scenarios where system administrators might think that the shared secret is the same on the RADIUS server and the NAS, when in fact, they are not.

You've got to check that the server is loading the correct clients.conf. Read the debug output to see which file it's loading. It will print out the client, and the shared secret. Check the debug output!

https://networkradius.com/articles/2021/07/26/what-does-shared-secret-error-mean.html

A. DeKok
  • 1