The message authenticator of Access-Accept from Server-Status message reply is not correct

[abhishesh]

Used the library to create a Access Accept reply to ServerStatus message from radius client. The message authenticator calculated is not correct ! We can test using radclient (a standard freeradius-server client !)

echo "Client-IP-Address=192.168.1.10, Called-Station-Id=00:00:00:00:a3:58" | radclient -c 1 -r 1 -t 5 -x 10.65.1.10 status mysecret

Sent Status-Server Id 7 from 0.0.0.0:49396 to 10.65.1.10:1812 length 39
Client-IP-Address = 192.168.1.10
Called-Station-Id = "00:00:00:00:a3:58"
(0) Reply verification failed: Received packet from 10.65.1.10 with invalid Message-Authenticator!  (Shared secret is incorrect.)

[abhishesh]

is there a specific way to handle this message ! Should we add extra VSA to it before replying

[bronze1man]

Sorry, I do not know either right now, I do not use radclient to test this library. I use the strongswan to test this library, their radius protocols may be different.

You can try read the source code of radclient to understand what have happened.

You can fork this project fixed your bug then send a pull request to here.

[shamanis]

If you look at the source Freeradius, then there it will be seen that they require a key length multiple of 16. maybe that's the problem

#define MAX_SECRET_LENGTH	(3 * 16) /* MUST be multiple of 16 */