On Wednesday 19 July 2006 13:55, Michael Lecuyer wrote: > This has been explained before in this list and it's how RADIUS works. > > The Even though the secret is incorrect the authentication can be > correct. The server returns an Access-Accept. Why? The server trusts the > client (it's in the accepted NAS list) and performs the authentication. Why then if the secret is a lot different does the server reject the client? Or is it just that MD5 can generate identical results from two different input strings, and we were just unlucky?
David > The server then signs the response packet with it's version of the > secret. The client doesn't trust the server and checks the signature. If > the signature is not correct the client rejects the packet. > > The opposite is true with accounting packets - the client signs the > request and the server checks the signature. > > The Message-Authenticator attribute can be used to sign the > Access-Request packet which will cause the server to reject a packet > with the an incorrect MA signature. > > David Goodenough wrote: > > I just hit a really odd problem with a secrets. > > > > We were asked to use FreeRadius to provide IP addresses to an Ericsonn > > NAS. We set up the server and have some test clients with simple > > secrets. If those are right it works, if they are wrong it fails. > > > > Then we put in the secret for the Ericsonn (I can not put it in this > > note as it is someone else's secret and I do not know what else it might > > be the secret for, but privately I could make it available for testing). > > > > This secret is 13 digits long, mixed numbers and letters, looks > > reasonably random, and in the proper secret all the letters were upper > > case. However somehow one of the letters (an O) got put into the server > > in lower case. > > > > The server happily accepts Access-Request packets with an authenticator > > built from the all upper case secret, even though its secret was > > different, it was only the client which rejected the Access-Accept. > > Diagnosing this however was very difficult as we had no access to the > > Ericsonn box and any console messages it might log (we could only see > > what went on the wire and whether the connection succeeded). > > > > A quick look at the code did not find anywhere where the secret gets > > folded to all upper case (but I might have missed it) and if there were > > such folding it would be unfortunate if this was only done on checking > > the received packet not on generating the reply. > > > > I am new to RADIUS, and I could not find any rules about case folding for > > secrets, but I might have missed them. > > > > It could simply be one of those freak places where the MD5 checksum > > happens to be the same for the request but not the response, but that > > does not feel right. > > > > I am using 1.1.1 (I am also using JRadius which last time I looked only > > produced patches for 1.1.1, not 1.1.2). > > > > David > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html