Antw: Re: EAP-PWD with wrong password

Stefan Winter stefan.winter at
Tue Sep 11 14:20:44 CEST 2018


> "When their talk ends nowhere all that can be said is that the two
> parties disagree about what the password is.
> "
> I understand that it is like that by design:
> EAP-PWD RFC says in EAP-pwd-Confirm-Exchange: "If the value of
> Confim_S i incorrect, the peer MUST terminate the exchange"
> ... I think this could be the point where it happens (I'm not too deep into
> I understand, that the freeradius-module is written like in the RFC defined.

Yes, I believe it was even written by the RFC author himself :-)

> RADIUS RFC says: If any value of the received Attributes is not acceptable,
> then the RADIUS Server MUST transmit a packet with the Code field set to 3
> (Access-Reject).
> I think, that does not match here, because it is not the server who does not
> accept the packet

Exactly: the server *does* send something back. Its last message is the

> ,but:
> "Upon receipt of an Access-Request from a valid client, an appropriate reply
> MUST be transmitted."
> So, the question is for me: Is this a "valid" client or not? MUST there be a
> reply?

There is nothing to reply to because there is no Access-Request. The
client receives a Confirm, and walks away.

The server just sits there waiting for an incoming Access-Request which
never comes.

> Wouldn't it be an idea, the EAP-PWD peer sends back an explizit "I disagree
> with you, let us stop talking" (some kind of NAK)? Just asking :-)

Yes. In that case, it would be up to the client to send such a message
to the server, because it evaluated the Confirm and it didn't compare
well to its own expectation.

Unfortunately, nothing like that is foreseen in the RFC. And if such a
message doesn't even exist, then it is asked a bit much from a client to
send it :-)


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list