[EMAIL PROTECTED] wrote: > - However when the same cases are tried for CHAP we can see the > difference. In the first case the authentication is successful; however > when we give a junk shared secret the authentication should ideally have > been rejected.
The key word is "ideally". RADIUS isn't ideal. This weakness has been known for over 10 years in RADIUS. All RADIUS servers are vulnerable to this issue. It isn't news. RFC 5080 (of which I am co-author) suggests that all RADIUS clients add a Message-Authenticator to the Access-Request. This additional enables the RADIUS server to catch the case of an incorrect shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
