Reply-Message and Eap

Sam Hartman hartmans at mit.edu
Thu Mar 5 16:32:54 CET 2015


>>>>> "Jouni" == Jouni Malinen <jkmalinen at gmail.com> writes:

    Jouni> On Thu, Mar 5, 2015 at 11:45 AM, Sam Hartman <hartmans at mit.edu> wrote:
    >> No, I'm actually more interested in getting a text string to the
    >> NAS than the peer.

    Jouni> OK. As long as the NAS knows how to generate EAP-Failure from
    Jouni> a Access-Reject without EAP-Message, that should work fine by
    Jouni> adding the Reply-Message attribute instead. At least the NAS
    Jouni> implementation I'm familiar with would indeed do that and
    Jouni> would not have issues with EAP-Message being replaced with
    Jouni> Reply-Message.

The NAS currently generates a very hard lower-layer failure ( a hard
fail error token; I think section 7.5 of RFC 7055) which requires the
supplicant to drop this authentication attempt.
3579 actually mandates against synthesizing an EAP failure (or at least
gives you a SHOULD NOT for that; can't remember which)

I'm kind of unconvinced of the value of EAP failure for lower layers
that have their own signaling.
You're never guaranteed to get an EAP failure if the NAS doesn't
synthesize one.  You might have a non-EAP-aware proxy that decided to
reject as an example.

--Sam


More information about the Freeradius-Devel mailing list