incorrect shared secret entry authenticates successfully for freerradius

Alan DeKok aland at deployingradius.com
Tue Mar 18 14:58:35 CET 2008


sanjeev.kumarroy at wipro.com wrote:
> - However when the same cases are tried for CHAP we can see the
> difference. In the first case the authentication is successful; however
> when we give a junk shared secret the authentication should ideally have
> been rejected.

  The key word is "ideally".  RADIUS isn't ideal.

  This weakness has been known for over 10 years in RADIUS.  All RADIUS
servers are vulnerable to this issue.  It isn't news.

  RFC 5080 (of which I am co-author) suggests that all RADIUS clients
add a Message-Authenticator to the Access-Request.  This additional
enables the RADIUS server to catch the case of an incorrect shared secret.

  Alan DeKok.



More information about the Freeradius-Users mailing list