Antw: Re: EAP-PWD with wrong password
stefan.winter at restena.lu
Tue Sep 11 14:20:44 CEST 2018
> "When their talk ends nowhere all that can be said is that the two
> parties disagree about what the password is.
> I understand that it is like that by design:
> EAP-PWD RFC says in 22.214.171.124 EAP-pwd-Confirm-Exchange: "If the value of
> Confim_S i incorrect, the peer MUST terminate the exchange"
> ... I think this could be the point where it happens (I'm not too deep into
> I understand, that the freeradius-module is written like in the RFC defined.
Yes, I believe it was even written by the RFC author himself :-)
> RADIUS RFC says: If any value of the received Attributes is not acceptable,
> then the RADIUS Server MUST transmit a packet with the Code field set to 3
> I think, that does not match here, because it is not the server who does not
> accept the packet
Exactly: the server *does* send something back. Its last message is the
> "Upon receipt of an Access-Request from a valid client, an appropriate reply
> MUST be transmitted."
> So, the question is for me: Is this a "valid" client or not? MUST there be a
There is nothing to reply to because there is no Access-Request. The
client receives a Confirm, and walks away.
The server just sits there waiting for an incoming Access-Request which
> Wouldn't it be an idea, the EAP-PWD peer sends back an explizit "I disagree
> with you, let us stop talking" (some kind of NAK)? Just asking :-)
Yes. In that case, it would be up to the client to send such a message
to the server, because it evaluated the Confirm and it didn't compare
well to its own expectation.
Unfortunately, nothing like that is foreseen in the RFC. And if such a
message doesn't even exist, then it is asked a bit much from a client to
send it :-)
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Freeradius-Users