rlm_rest learnings - PAP and PEAP/MSCHAPv2

Alan DeKok aland at deployingradius.com
Thu Jan 23 01:12:54 CET 2020

On Jan 19, 2020, at 9:29 PM, Lang, Russell <Russell.Lang at team.telstra.com> wrote:
> Using 
>  radtest -t mschap valid-user at domain invalid_password 0 radius_secret
> replied with
>  MS-CHAP-Error = "\000E=691 R=1 C=ad8367a70f809d72 V=2"
> My reading of the MS-CHAP-V2 RFC2759 and PPP CHAP RFC1994 is that this should have been
>  MS-CHAP-Error = "E=691 R=1 C=ad8367a70f809d72 V=2"

   RFC 1994 Section 4 states that the packet format contains a one-octet identifier.  In this case, the leading "\000".

  RFC 2433 and 2579 say that the Failure packet is identical in formation to the normal CHAP message format.  i.e. with the identifier.

  Further, FreeRADIUS interoperates with all MS-CHAP implementations, which add the 1-octet identifier, and which look for it.

  Alan DeKok.

More information about the Freeradius-Users mailing list