pam_radius and Cisco ACS
Alan DeKok
aland at ox.org
Thu Feb 16 04:20:15 CET 2006
Tom <tjonesjr at gmail.com> wrote:
> No, the shared secret is correct, otherwise the ACS would show that as
> being the error
RADIUS doesn't work like that.
If there's no Message-Authenticator in the packet (and pam_radius
doesn't send one), then the server can't tell that the secret is
wrong. It can guess, (e.g. the messages FreeRADIUS produces), but it
has no way of knowing for sure.
> I thought this might have been the issue until I purposely used the
> wrong secret and there were different error's.
If ACS can decode the password properly, then the shared secret is
correct, and it *should* authenticate the user.
If the shared secret is incorrect, then it will decode the password
to random nonsense, and authentication will fail.
RADIUS is really that simple.
Alan DeKok.
More information about the Freeradius-Users
mailing list