Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse
Stefan Winter
stefan.winter at restena.lu
Thu Jul 19 13:38:49 CEST 2007
> I am trying to send an Access-Request with EAP-Identity response. The
> Request was successful and Server sent an Access-Challenge in response (MD5
> challenge), the response to this challenge is failing (receiving
> Access-Reject from Server), the Error message was "rlm_eap_md5:
> User-Password is required for EAP-MD5 authentication". I have the
> User-Password attribute in Access-Request. Below is the Access-Request
> packet attributes,
You don't quite understand how EAP-MD5 works. There is not supposed to be a
User-Password in the request - instead, a response to the MD5-Challenge the
server sent out earlier. The *server* needs to know the user's password to
verify this response. So putting the attribute User-Password in the request
won't gain you anything, other than violating RFCs. The server will not look
there.
With EAP-MD5, the user's password is *never* on the wire.
You want to configure the user's password in the server, for example in the
users file. In 1.16 and later, you will want to use the
name "Cleartext-Password" instead of User-Password for that - it reduces
confusion.
Stefan
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung & Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/319d1d01/attachment.pgp>
More information about the Freeradius-Users
mailing list