Authentication succeeds even with incorrect shared secret.
Sayantan Bhowmick
sbhowmick at novell.com
Fri Sep 2 10:19:55 CEST 2005
Thank You Alan and Stefan for your replies.
So if I understand correctly in case of authentication methods like
CHAP the client does NOT SEND ANYTHING SIGNED with the "shared secret"
and as such the RADIUS server CANNOT verify whether the client has the
proper shared secret. In this case it is the clients job to verify the
server's reply. Am I correct?
Thanks and Regards,
-Sayantan.
>>> On Thu, Sep 1, 2005 at 7:49 pm, in message
<1125583941.43170c45982c4 at modem.webmail.t-online.de>,
Stefan.Neis at t-online.de
wrote:
> Hi,
>
> Sayantan Bhowmick schrieb:
>> I am trying to authenticate users using CHAP authentication.
> (snipp)
>> users are authenticated successfully( provided userid and
>> password id correct) irrespective of what is entered for the
>> "shared secret" in the client. Is this a defect?
>
> IIRC, yes, that means the client is broken.
>
>> Should'nt the RADIUS server check whether the client is
>> using the correct "shared secret"?
>
> No, he can't, in general. In authentication, the shared secret
> is used to protect secret data (e.g. cleartext passwords when
> doing PAP or MPPE- Keys when doing MS- CHAP). Unless
> you're using one of the attributes encrypted by means of the
> shared secret, the server never knows whether or not the
> client is using the same shared secret.
> IIRC, the server, however, is kind of "signing" his reply with
> the secret key, so if that's not the same one that the client
> has, the client should reject the server's reply as coming from
> a non- trustworthy server and not give you access.
>
> HTH,
> Stefan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list