When the RADIUS Server receives a packet with an incorrect secret it MUST be silently discarded. Why isn the packet discarded?
This comes from a misreading of the RADIUS server authentication RFC. The relevant text states: Once the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded. Notice that the statement says ‘does not have a shared secret’ and not ‘does not have a correct shared secret’. There is no possible way that the server can detect an incorrect secret in a normal packet as there is generally no information that is generated using the shared secret. It is the responsibility of the client to determine if the response packet is properly signed by the server. The use of the Message-Authenticator attribute will force the detection of an incorrect secret by the server. This is generally used in conjunction with an EAP-Message but may be used alone. Other side effects of an incorrect secret: PAP passwords will be incorrect as the PAP password is encoded using the shared secret. MS
Related Questions
- When the RADIUS Server receives a packet with an incorrect secret it MUST be silently discarded. Why isn the packet discarded?
- During configuration of the access point and the RADIUS server, I am requested to specify a Shared Secret. What is it?
- What is new in IAS, the Windows 2000 versions of the RADIUS server?
