Incorrect trust anchor reported as radius authentication rejected
Bug #1438484 reported by
Sam Hartman
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Project Moonshot |
Triaged
|
High
|
Dan Breslau |
Bug Description
If you have a trust anchor specified that does not match the target realm, then you get a radius authentication rejected error.
You can see the real problem if you set the GSSEAP_TRACE environment variable.
Two issues here. First, this should be reported with a better error return.
Secondly, though, the fact that we're getting to a RADIUs reject suggests the client state machine is broken.
What if the other side were to return a success or something like that. I suspect the lack of an EAP key would save us, but it seems like the client should consider trust anchor validation more fatal and definitely should report the error more correctly.
Changed in moonshot: | |
status: | New → Triaged |
assignee: | nobody → Dan Breslau (dbreslau) |
importance: | Undecided → High |
To post a comment you must log in.
Sounds like a libradsec issue. Is that correct?
Out of curiosity, can you elaborate on the comment about lacking an EAP key in the success (RADIUS authn) case?