Re: EAP success with MD5 authentication

Thanx Alan for correcting me .. I had mistakenly written 2869.. Its actually
RFC 2865..
i didnt know that " The text in RRC 2865 is not
referring to EAP, it's referring to systems like X9.9 token cards."
The problem i posted is solved finally !! In sending Response Radius packets,
NAS do not need to add User-password attribute. EAP data itself contains the
response to Access challenge..
The password for EAP user is configured in "users" file .. and it is this
password that the station also uses in its response..

From: "Alan DeKok" <aland@ox.org>
To: freeradius-users@lists.freeradius.org
Subject: Re: EAP success with MD5 authentication
Date: Tue, 15 Feb 2005 12:51:31 -0500
Reply-To: freeradius-users@lists.freeradius.org

Madhu Dubey <madhu.dubey@dcmtech.co.in> wrote:

> But as per RFC 2869, response to Access challenge should contain User
password
> as the user-response.
>

> "If the NAS supports challenge/response, receipt of a valid



There is no such text in RFC 2869. I think you're referring to RFC
2865.


> On setting User-Passwd as User response(EAP data),user is not
> matched against the users file entry..



I have no idea what you mean by that. The text in RRC 2865 is not
referring to EAP, it's referring to systems like X9.9 token cards.


> rlm_eap_md5: User-Password is required for EAP-MD5 authentication



You have to tell the server what the "known good" clear-text
password is for the user. EAP-MD5 uses that "known good" password to
validate the data in the EAP-MD5 packet.


> If it is the encrypted password in users file



Then EAP-MD5 won't work.


Alan DeKok.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html