If a packet is received that contains an incorrect shared secret, should something be logged? Looking through the logs, it looks like freeradius still tries to process the request, the password is mangled, but no mention of incorrect shared secret as far as I get tell.
James Devine wrote:
If a packet is received that contains an incorrect shared secret, should something be logged?
No.
Looking through the logs, it looks like freeradius still tries to process the request, the password is mangled, but no mention of incorrect shared secret as far as I get tell.
Yes. The "incorrect shared secret" message is a *guess*, and is only printed in debugging mode. And it's only a guess. There is *no* way to know if the shared secret is wrong. The users password really might be a random string of binary nonsense: that is allowed in RADIUS. If the packet contains a Message-Authenticator attribute, then it will detect that the shared secret was wrong. The request will be rejected without being processed (i.e. no username/password checks). And a message won't be logged, due to DoS issues. Alan DeKok.
participants (2)
-
Alan DeKok -
James Devine