EAP-PWD with wrong password

Stefan Winter stefan.winter at restena.lu
Tue Sep 11 13:51:40 CEST 2018


> Is there a way to determine that a user tried to log in with a "wrong password" with eap-pwd?
> Setup is as recommended by comments in config with an inner-tunnel.
> EAP-PWD against edir with a correct password works fine and it produces a log line on Access-Accept in the radius-Logfile.
> But EAP-PWD with the user using a wrong password, does nothing.
> In debug it just looks like an unfinished eap-request with eap returning handled instead of ok for the last packet.
> Problem is, that we cannot see  "normal" entry in radius.log  and trigger some other actions on a reject.

Two guys who know nothing about each other talk about a password they
hold close to their chest, not showing to the other side.

When their talk about the passwords shows that they actually have the
same password in front of them then both are happy, knowing that the
respective other side is genuine.

When their talk ends nowhere all that can be said is that the two
parties disagree about what the password is.

There is then no "wrong" and "right" password. They are just different.
And so, both ends walk away.

I.e. the user cannot know if his password is wrong, or if he is maybe
connected to a rogue server which doesn't actually know the password and
is trying to impersonate the server (failing miserably).

The server, which at some point sends the Commit message based on what
it thinks is the password, never gets a reply because the other end went
away. But it can't know whether the other end went away because the
password talk went sideways, or if the other end simply closed the
laptop's lid and never received and acted upon the message.

So, what should the server log? It can't be sure it was about a bad
password. All it knows is that it sent something but noone replied.

Should it maybe log that, instead of just doing nothing? How long should
it wait before doing so?


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180911/df909e61/attachment.sig>

More information about the Freeradius-Users mailing list