Re: Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse
I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was rlm_eap_md5: User-Password is required for EAP-MD5 authentication. I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes, You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name Cleartext-Password instead of User-Password for that - it reduces confusion. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse
Thanks for the help Stefan. On 7/19/07, Stefan Winter [EMAIL PROTECTED] wrote: I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was rlm_eap_md5: User-Password is required for EAP-MD5 authentication. I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes, You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name Cleartext-Password instead of User-Password for that - it reduces confusion. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
