Yet another shared secret mismatch issue

Alan DeKok aland at
Thu Jul 12 14:53:02 CEST 2018

On Jul 12, 2018, at 2:59 AM, Alberto Martínez Setién via Freeradius-Users <freeradius-users at> wrote:
> I'm trying to configure hardware (MAC) auth using FreeRADIUS.
> It works nice with another provider, but on this new one seems to do shared
> secret signing wrong.

  It happens. :(

> I have no doubt that FR does the right thing, and I'm sure that this is not
> a "maybe you didn't input the same secret in both places" issue. This is
> either a hardcoded secret (not their first time) or a bad implementation.
> They deny any wrongdoing on their part.

  They can:

a) believe that they made a mistake, because some (likely) junior engineer screwed up

b) believe that FreeRADIUS is wrong, even tho it's running in 10M different sites with ~1B different users authenticating every day.

  Those are really the only two options.

> I intend to prove that they are doing RADIUS secret wrong and have locate
> the fr_radius_verify function.
> My questions are:
> Can I brute force the secret somehow?
> Can I make my point to them somehow else?

  Try it with 3-4 different RADIUS implementations.  There are other (old, shitty) open source RADIUS servers available.

  When their equipment fails with all of them, it should be pretty clear that their equipment is crap.

  Alan DeKok.

More information about the Freeradius-Users mailing list