Authentication succeeds even with incorrect shared secret.
Stefan.Neis at t-online.de
Stefan.Neis at t-online.de
Thu Sep 1 16:19:17 CEST 2005
Hi,
Sayantan Bhowmick schrieb:
> I am trying to authenticate users using CHAP authentication.
(snipp)
> users are authenticated successfully( provided userid and
> password id correct) irrespective of what is entered for the
> "shared secret" in the client. Is this a defect?
IIRC, yes, that means the client is broken.
> Should'nt the RADIUS server check whether the client is
> using the correct "shared secret"?
No, he can't, in general. In authentication, the shared secret
is used to protect secret data (e.g. cleartext passwords when
doing PAP or MPPE-Keys when doing MS-CHAP). Unless
you're using one of the attributes encrypted by means of the
shared secret, the server never knows whether or not the
client is using the same shared secret.
IIRC, the server, however, is kind of "signing" his reply with
the secret key, so if that's not the same one that the client
has, the client should reject the server's reply as coming from
a non-trustworthy server and not give you access.
HTH,
Stefan
More information about the Freeradius-Users
mailing list