Can an EAP-over-RADIUS request ever result in an Access-Reject?

Joe Garcia joe27256 at
Tue Jan 28 11:20:44 CET 2020

Alan DeKok <aland at> wrote:

>The Message-Authenticator is calculated from the RADIUS shared secret.  i.e.
>the secret shared between the RADIUS client and server.
>It has nothing to do with the users password.

It does if it's being used as a generic EAP-TTLS authentication
mechanism and the client just has a username+password, i.e. the RADIUS
shared secret is the same as the password used with EAP-TTLS. In other
words the client is being told to authenticate with EAP-TTLS and given
a username + password, they don't have, or even know, that there's a
second, different password to use with RADIUS vs. whatever they're
running over EAP-TTLS.

>Run eapol_test with an incorrect password, and see what happens.  You will
>see that the RADIUS shared secret is NOT the same as the users password.

See above, that's for the specific case of eapol_test, or an
equivalent that uses two different passwords/shared secrets/whatever.
In this case there's only a single username+password available to auth

I realize the answer is probably "don't do that, then", but the server
is a third-party service that can't be changed.


More information about the Freeradius-Users mailing list