FreeRadius sends Access-Reject for MAC-AUTH, if shared secret on NAS and server differ

Alan DeKok aland at
Mon Apr 15 00:20:28 CEST 2019

On Apr 14, 2019, at 6:04 PM, Phani Siriki <yvsg.phanis at> wrote:
> Yes, you are correct. But in case of MAC-AUTH which is doing PAP
> authentication, Access-Reject is sent. FreeRadius should have dropped
> the request without sending Access-Reject right?


> Can we make
> FreeRadius not reply in case MAC-auth if shared secret is wrong.


  If there is a Message-Authenticator attribute, then the server knows that the shared secret is wrong, and drops the packet.

  If there is no Message-Authenticator attribute, then the server guesses that the shared secret *might* be wrong, but it's not sure.  Because there's no way of knowing for sure.

  If you want to know why, read the RFCs.  If you're not going to read the RFCs, then trust that the server does the Right Thing.  It's been doing RADIUS for 20 years, which is likely longer than you've been doing it.

  Alan DeKok.

More information about the Freeradius-Users mailing list