Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse

[Govardhana K N]

Thanks for the help Stefan.

On 7/19/07, Stefan Winter <stefan.winter at restena.lu> wrote:
>
> > I am trying to send an Access-Request with EAP-Identity response. The
> > Request was successful and Server sent an Access-Challenge in response
> (MD5
> > challenge), the response to this challenge is failing (receiving
> > Access-Reject from Server), the Error message was "rlm_eap_md5:
> > User-Password is required for EAP-MD5 authentication". I have the
> > User-Password attribute in Access-Request. Below is the Access-Request
> > packet attributes,
>
> You don't quite understand how EAP-MD5 works. There is not supposed to be
> a
> User-Password in the request - instead, a response to the MD5-Challenge
> the
> server sent out earlier. The *server* needs to know the user's password to
> verify this response. So putting the attribute User-Password in the
> request
> won't gain you anything, other than violating RFCs. The server will not
> look
> there.
> With EAP-MD5, the user's password is *never* on the wire.
> You want to configure the user's password in the server, for example in
> the
> users file. In 1.16 and later, you will want to use the
> name "Cleartext-Password" instead of User-Password for that - it reduces
> confusion.
>
> Stefan
>
> --
> Stefan WINTER
>
> Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche
> Ingenieur Forschung & Entwicklung
>
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> E-Mail: stefan.winter at restena.lu Tel.:   +352 424409-1
> http://www.restena.lu   Fax: +352 422473
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>


-- 
With Regards,
Govardhana K N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/796edbf4/attachment.html>