"Vic Abell" <[EMAIL PROTECTED]> wrote: > > Nonsense. The authorization isn't returned to the caller until > > after they've been authenticated. > > No, it's not nonsense. The secretary's telling me that Vic > Abell has an appointment gives away potentially useful > information.
Please read again, where I said "The authorization isn't returned to the caller until after they've been authenticated." No one is told ANYTHING until after authentication succeeds. Your analogies are incorrect, due to a lack of understanding of the protocol. > However, because the RADIUS protocol doesn't seem to have > separate returns for authorization and authentication > results, it's not giving the client a hint that the attempt > is worth retrying with a different password. Exactly. Reading the RFC's would make this clear. > You gave an explanation much more acceptable to me Uh, right. Why were you arguing about something you didn't understand? It would have been politer for you to ask HOW it works, rather than claiming it's wrong and insecure, and then back-pedalling when your confusion was corrected. > I completely overlooked the feature of the RADIUS protocol and > server that allows multiple authentication methods to be applied. > In that case it is clearly useful to authorize the authentication > type first. Which is made clear in the RFC's, in the server documentation, in the server configuration files, and in the server source. Please read them before asking any more confusing questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
