Can an EAP-over-RADIUS request ever result in an Access-Reject?
Joe Garcia
joe27256 at gmail.com
Tue Jan 28 11:20:44 CET 2020
Alan DeKok <aland at deployingradius.com> wrote:
>The Message-Authenticator is calculated from the RADIUS shared secret. i.e.
>the secret shared between the RADIUS client and server.
>
>It has nothing to do with the users password.
It does if it's being used as a generic EAP-TTLS authentication
mechanism and the client just has a username+password, i.e. the RADIUS
shared secret is the same as the password used with EAP-TTLS. In other
words the client is being told to authenticate with EAP-TTLS and given
a username + password, they don't have, or even know, that there's a
second, different password to use with RADIUS vs. whatever they're
running over EAP-TTLS.
>Run eapol_test with an incorrect password, and see what happens. You will
>see that the RADIUS shared secret is NOT the same as the users password.
See above, that's for the specific case of eapol_test, or an
equivalent that uses two different passwords/shared secrets/whatever.
In this case there's only a single username+password available to auth
with.
I realize the answer is probably "don't do that, then", but the server
is a third-party service that can't be changed.
JG.
More information about the Freeradius-Users
mailing list