pam_radius and Cisco ACS

Alan DeKok aland at
Thu Feb 16 04:20:15 CET 2006

Tom <tjonesjr at> wrote:
> No, the shared secret is correct, otherwise the ACS would show that as
> being the error

  RADIUS doesn't work like that.

  If there's no Message-Authenticator in the packet (and pam_radius
doesn't send one), then the server can't tell that the secret is
wrong.  It can guess, (e.g. the messages FreeRADIUS produces), but it
has no way of knowing for sure.

> I thought this might have been the issue until I purposely used the
> wrong secret and there were different error's.

  If ACS can decode the password properly, then the shared secret is
correct, and it *should* authenticate the user.

  If the shared secret is incorrect, then it will decode the password
to random nonsense, and authentication will fail.

  RADIUS is really that simple.

  Alan DeKok.

More information about the Freeradius-Users mailing list