Tom <[EMAIL PROTECTED]> wrote: > No, the shared secret is correct, otherwise the ACS would show that as > being the error
RADIUS doesn't work like that. If there's no Message-Authenticator in the packet (and pam_radius doesn't send one), then the server can't tell that the secret is wrong. It can guess, (e.g. the messages FreeRADIUS produces), but it has no way of knowing for sure. > I thought this might have been the issue until I purposely used the > wrong secret and there were different error's. If ACS can decode the password properly, then the shared secret is correct, and it *should* authenticate the user. If the shared secret is incorrect, then it will decode the password to random nonsense, and authentication will fail. RADIUS is really that simple. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html