I am trying to configure the coa proxy in latest Radius docker image 3.2.3.
I have defined a client with proper shared secret (message initiator) and also defined a home server with shared secret (message destination). When i send the CoA message i see in debug that radius server is proxying the request, the NAS at destination receiving it, it responds back to the radius server and then the radius server forwards that message back to the initiator. The problem is when i receive the final message from the radius server it has invalid message-authenticator.
"Reply verification failed: Received packet from 192.168.2.157 with invalid Message-Authenticator! (Shared secret is incorrect.)
I checked the shared secret on all sides, everything is as expected but somehow it signs the final message incorrectly.
Thanks in advance.
Here is my debug log of the radius server: host ip is - 192.168.2.157
2) Received Disconnect-Request Id 33 from 192.168.2.227:37369 to 172.17.0.2:3799 length 51
(2) NAS-IP-Address = 192.168.2.224
(2) Calling-Station-Id = "BC:54:51:EF:70:AE"
(2) Event-Timestamp = "Oct 31 2023 00:11:47 UTC"
(2) # Executing section recv-coa from file /etc/freeradius/sites-enabled/coa
(2) recv-coa {
(2) [suffix] = noop
(2) update control {
(2) EXPAND %{NAS-IP-Address}
(2) --> 192.168.2.224
(2) Packet-Dst-IP-Address = 192.168.2.224
(2) } # update control = noop
(2) [ok] = ok
(2) } # recv-coa = ok
(2) Starting proxy to home server 192.168.2.224 port 3799
(2) server coa {
(2) }
(2) Proxying request to home server 192.168.2.224 port 3799 timeout 30.000000
(2) Sent Disconnect-Request Id 119 from 0.0.0.0:44638 to 192.168.2.224:3799 length 55
(2) NAS-IP-Address = 192.168.2.224
(2) Calling-Station-Id = "BC:54:51:EF:70:AE"
(2) Event-Timestamp = "Oct 31 2023 00:11:47 UTC"
(2) Proxy-State = 0x3333
Waking up in 0.3 seconds.
(2) Clearing existing &reply: attributes
(2) Received Disconnect-ACK Id 119 from 192.168.2.224:3799 to 172.17.0.2:44638 length 48
(2) Proxy-State = 0x3333
(2) Event-Timestamp = "Oct 31 2023 00:12:03 UTC"
(2) Message-Authenticator = 0xa8348c88a62f140ba3d61e1725c34dc7
(2) server coa {
(2) }
(2) # Executing section send-coa from file /etc/freeradius/sites-enabled/coa
(2) send-coa {
(2) [ok] = ok
(2) } # send-coa = ok
(2) Sent Disconnect-ACK Id 33 from 172.17.0.2:3799 to 192.168.2.227:37369 length 44
(2) Event-Timestamp = "Oct 31 2023 00:12:03 UTC"
(2) Message-Authenticator = 0xa8348c88a62f140ba3d61e1725c34dc7
(2) Finished request
And the request message is:
echo "
NAS-IP-Address = 192.168.2.224
Calling-Station-Id = 'BC:54:51:EF:70:AE'
Event-Timestamp = $(date +%s)
" | radclient -x 192.168.2.157:3799 disconnect <secret>
Sent Disconnect-Request Id 33 from 0.0.0.0:37369 to 192.168.2.157:3799 length 51
NAS-IP-Address = 192.168.2.224
Calling-Station-Id = "BC:54:51:EF:70:AE"
Event-Timestamp = "Oct 30 2023 18:11:47 MDT"
(0) Reply verification failed: Received packet from 192.168.2.157 with invalid Message-Authenticator! (Shared secret is incorrect.)
Just to close the thread with the proper answer in case someone else were hitting the same problem. Found out that this is a bug in 3.2.3. It simply not calculating new message-authenticator but copying it. The issue was reported to FreeRadius devs, validated and accepted. the fix was made almost immediately and probably already included in 3.2.4. Sorry but I moved to another project and didn't test it.