Reply-Message and Eap

Alan DeKok aland at deployingradius.com
Wed Mar 4 14:15:29 CET 2015


On Mar 4, 2015, at 8:09 AM, Sam Hartman <hartmans at mit.edu> wrote:
> so, I understand why it would be confusing to have both a Reply-Message
> and an Eap-Message in the same packet.

  In theory it shouldn’t be a problem.  But...

> I'm a bit confused why it's desirable to insert an EAP failure into a
> packet in an access reject case.

  So the failure gets back to the supplicant.  An explicit failure indication is better than having the supplicant wonder why the NAS stopped talking to it.

>  We'd like to do a better job of error
> reporting back to ABFAB clients than "Uh, it failed."  for some things
> we can use Error-Cause as we discussed previously.

  That would be very nice.

> However it would be really nice to get a text string back too.
> 
> What I'd like to do is send back  a packet  with no EAP message  and a
> Reply-Message.
> Will that break things?

  Maybe.  Some “helpful” (i.e. idiotic) NAS vendors turn Reply-Message into EAP-Notification.  The “helpful” (i.e. idiotic) supplicants go OMFG I don’t understand that… and drop the connection.

  That issue is less of a problem on Access-Reject, of course.

> would it be reasonable to update policy to prefer keeping Reply-Message
> over replacing Reply-Message with an EAP failure in the case where we're
> handling a reject that currently has no EAP message at all?  I.E. we
> rejected before eap got called in authorize/authenticate, or unlang
> removed Eap-Message.

  Probably.  Maybe.

  It all depends on what the NAS and supplicants do.  After ~20 years of doing this, I’m not going to guess what kind of crazy thing people do.

  All I can say is try it, and see if it works.

  Alan DeKok.




More information about the Freeradius-Devel mailing list