Blank Password and Recommeded RFC standard

Craig T. Hancock chancock at
Fri May 26 16:48:10 CEST 2006

Alan DeKok wrote:

>   The RFC requirements aren't absolute.  You're free to break them in
> your local system, but doing so may cause catastrophic problems.
>   In this case, what are you trying to do?

I am working with a vendor product that has implemented their own
Radius and when trying to authenticate to their product they say
that when using Challenge based authentication they handle blank
passwords according to the RFC.

After reading the RFC I don't fully understand why blank passwords
seemed to be acceptable. Ultimately I don't understand why radius RFC
has a provision to ask for a password if the original request is
empty when doing two factor authentication. It would seem to me that
if the User-Password field is empty (or what ever attribute is used
with two-factor authentication) that Radius should interpret that with
an Access-Reject.

>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list