incorrect shared secret
Alan DeKok
aland at deployingradius.com
Mon Dec 14 16:24:45 CET 2009
James Devine wrote:
> If a packet is received that contains an incorrect shared secret,
> should something be logged?
No.
> Looking through the logs, it looks like
> freeradius still tries to process the request, the password is
> mangled, but no mention of incorrect shared secret as far as I get
> tell.
Yes. The "incorrect shared secret" message is a *guess*, and is only
printed in debugging mode.
And it's only a guess. There is *no* way to know if the shared secret
is wrong. The users password really might be a random string of binary
nonsense: that is allowed in RADIUS.
If the packet contains a Message-Authenticator attribute, then it will
detect that the shared secret was wrong. The request will be rejected
without being processed (i.e. no username/password checks). And a
message won't be logged, due to DoS issues.
Alan DeKok.
More information about the Freeradius-Users
mailing list