Alan DeKok wrote:
The RFC requirements aren't absolute. You're free to break them in your local system, but doing so may cause catastrophic problems.
In this case, what are you trying to do?
I am working with a vendor product that has implemented their own Radius and when trying to authenticate to their product they say that when using Challenge based authentication they handle blank passwords according to the RFC. After reading the RFC I don't fully understand why blank passwords seemed to be acceptable. Ultimately I don't understand why radius RFC has a provision to ask for a password if the original request is empty when doing two factor authentication. It would seem to me that if the User-Password field is empty (or what ever attribute is used with two-factor authentication) that Radius should interpret that with an Access-Reject.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html