FreeRadius sends Access-Reject for MAC-AUTH, if shared secret on NAS and server differ

Phani Siriki yvsg.phanis at gmail.com
Mon Apr 15 00:26:12 CEST 2019


Hi Alan

Thanks for the reply. I checked this already and NAS is not sending
Message-Authenticator attribute in this case. I will further check
this. Thanks.

Best Regards
Phani

On Sun, Apr 14, 2019 at 3:20 PM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Apr 14, 2019, at 6:04 PM, Phani Siriki <yvsg.phanis at gmail.com> wrote:
> > Yes, you are correct. But in case of MAC-AUTH which is doing PAP
> > authentication, Access-Reject is sent. FreeRadius should have dropped
> > the request without sending Access-Reject right?
>
>   No.
>
> > Can we make
> > FreeRadius not reply in case MAC-auth if shared secret is wrong.
>
>   No.
>
>   If there is a Message-Authenticator attribute, then the server knows that the shared secret is wrong, and drops the packet.
>
>   If there is no Message-Authenticator attribute, then the server guesses that the shared secret *might* be wrong, but it's not sure.  Because there's no way of knowing for sure.
>
>   If you want to know why, read the RFCs.  If you're not going to read the RFCs, then trust that the server does the Right Thing.  It's been doing RADIUS for 20 years, which is likely longer than you've been doing it.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list