Alan DeKok <aland@deployingradius.com> wrote:
The Message-Authenticator is calculated from the RADIUS shared secret. i.e. the secret shared between the RADIUS client and server.
It has nothing to do with the users password.
It does if it's being used as a generic EAP-TTLS authentication mechanism and the client just has a username+password, i.e. the RADIUS shared secret is the same as the password used with EAP-TTLS. In other words the client is being told to authenticate with EAP-TTLS and given a username + password, they don't have, or even know, that there's a second, different password to use with RADIUS vs. whatever they're running over EAP-TTLS.
Run eapol_test with an incorrect password, and see what happens. You will see that the RADIUS shared secret is NOT the same as the users password.
See above, that's for the specific case of eapol_test, or an equivalent that uses two different passwords/shared secrets/whatever. In this case there's only a single username+password available to auth with. I realize the answer is probably "don't do that, then", but the server is a third-party service that can't be changed. JG.