I've been working on a RADIUS client in Python that can send a disconnect message (packet of disconnect) to a Cisco router. I'm using pyrad 1.2 for the project.
I ran into this problem pretty quickly:
POD: 192.168.9.9 request queued POD: Illegal authenticator in POD from 192.168.9.9 POD: Added Reply Message: Invalid Authenticator POD: Added NACK Error Cause: Invalid Request POD: Sending NAK from port 3799 to 192.168.9.9/60805
The above is output derived using the IOS
debug aaa pod command.
At first blush, it looks like a shared secret (password) mismatch. But after retyping the password several times on the router and in the code, I realized that wasn't the case.
I stumbled across this seven year old (RADIATOR) Packet of Disconnect thread that solved it for me.
The problem is that I was using pyrad's
Client.CreateAuthPacket() method to
create the packet. What I didn't realize is that authentication and accounting
packets use different methods to calculate the authenticator. Packets of disconnect
use the same method as accounting packets. As soon as I started using
Client.CreateAcctPacket(), everything started working.