RADIUS CoA for Hotspot - 'invalid signature' errors

fewi · October 14, 2009, 12:39am

Trying to use RADIUS CoA for Hotspot users. While RouterOS accepts the CoA request and acts on it, the client requesting the CoA receives an 'invalid signature' error.

Here debug output from RouterOS:

17:05:35 radius,debug,packet received CoA-Request with id 231 from 1.1.10.107:48721
17:05:35 radius,debug,packet     Signature = 0xb61c48a2a7fc09a834c3d9315300525d
17:05:35 radius,debug,packet     NAS-IP-Address = 1.1.11.144
17:05:35 radius,debug,packet     User-Name = "test"
17:05:35 radius,debug,packet     Acct-Session-Id = "80400014"
17:05:35 radius,debug,packet     Framed-IP-Address = 10.2.1.254
17:05:35 radius,debug,packet     MT-Group = "Wireless"
17:05:35 radius,debug received remote request 24 code=CoA-Request from 1.1.10.107:48721
17:05:35 hotspot,info,debug test (10.2.1.254): trying to update via Radius CoA
17:05:35 hotspot,info,debug test (10.2.1.254): Radius CoA succeeded
17:05:35 radius,debug sending CoA-ACK to remote request 24
17:05:35 radius,debug,packet sending CoA-ACK with id 231 to 1.1.10.107:48721
17:05:35 radius,debug,packet     Signature = 0xe4dd93515bd728763d8af2d054eda133
17:05:35 radius,debug,packet     NAS-Identifier = "MikroTik"
17:05:35 radius,debug,packet     NAS-IP-Address = 1.1.11.144

I imagine the 'Signature' field is the 'Request Authenticator' from RFC 2866 - I can't find any reference to anything else in RFC 3576, and changing the shared secret to not match between NAS and the server running radclient leads to a log message about dropping an invalid request due to a 'bad signature'.

The shared secret is definitely correct in the above log entries, RouterOS acts on the CoA and sends a CoA-ACK. Yet radclient logs an 'invalid signature' error:

# echo "NAS-IP-Address=1.1.11.144,User-Name=test,Acct-Session-Id=80400014,Framed-IP-Address=10.2.1.254,Mikrotik-Group=Wireless" | ./radclient -d /root/freeradius/etc/raddb/ -r 1 -x 1.1.11.144:3799 coa "test"
Sending CoA-Request of id 129 to 1.1.11.144 port 3799
        NAS-IP-Address = 1.1.11.144
        User-Name = "test"
        Acct-Session-Id = "80400014"
        Framed-IP-Address = 10.2.1.254
        Mikrotik-Group = "Wireless"
rad_recv: CoA-ACK packet from host 1.1.11.144 port 3799, id=129, length=36
rad_verify: Received CoA-ACK packet from client 1.1.11.144 port 3799 with invalid signature (err=2)!  (Shared secret is incorrect.)
radclient: no response from server for ID 129 socket 3

The only explanation I can come up with is that the RADIUS portion in RouterOS incorrectly calculates the md5 checksum sent back as a signature. Does that seem right?

I've searched the forums but only found related threads for PPP disconnect requests.

Additionally, the CoA does change the rate limit on the dynamic simple queue for the user, but does not update the active user session under "/ip hotspot active" with the new profile name.

jacovant · October 14, 2009, 6:17am

What radius server are you using. I have had the same issue. I have 3 radius servers - two running older versions (Fedora Core release 3), and freeradius 1.1.1. Using Coa with radclient from these works - i.e there is no signature error. I also have a server that runs Red Hat Enterprise Linux Server release 5.2 with freeradius 2.1.5. If I do the test from this I get the signature errors.

Check the freeradius forums - It is definitely related to md5 checksums - not sure where the problem is

fewi · October 14, 2009, 4:18pm

I tried that - 1.1.3 (from repos on Cent 5.3) works fine. I was using 2.1.7 compiled from source