James Devine wrote: > If a packet is received that contains an incorrect shared secret, > should something be logged?
No. > Looking through the logs, it looks like > freeradius still tries to process the request, the password is > mangled, but no mention of incorrect shared secret as far as I get > tell. Yes. The "incorrect shared secret" message is a *guess*, and is only printed in debugging mode. And it's only a guess. There is *no* way to know if the shared secret is wrong. The users password really might be a random string of binary nonsense: that is allowed in RADIUS. If the packet contains a Message-Authenticator attribute, then it will detect that the shared secret was wrong. The request will be rejected without being processed (i.e. no username/password checks). And a message won't be logged, due to DoS issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
