EAP Notification

Stefan Winter stefan.winter at restena.lu
Thu Jan 3 16:50:33 CET 2008 

Hi,

> Running a packet capture of an EAP TTLS session against FR cvs head, 
> noticed EAP Notifcation packets are being sent.
> The type-data appears to match that of the Reply-Message. Is this a 
> feature of rlm_eap that I missed before,
> or is the NAS being clever about it's interpretation of the
> Access-Accept  packet, and encapsulating the Reply-Message attribute in an
> EAP-Request Notification packet ?

Didn't we have a similar discussion on this list before, about RFC3579's text 
in chapter 2.6.5? IIRC, the outcome was that a Access-Accept packet which 
contains an EAP-Message attribute MUST NOT contain a Reply-Message? And since 
EAP conversations end with an Access-Accept that always contains an 
EAP-Message with EAP-Success in it, no Reply-Message should be sent at all?

Plus, RFC3579 contains lots of text in that chapter that explains why it is a 
bad idea to a) send a Reply-Message anyways and b) why a NAS should silently 
discard this attribute if present, rather than try and translate it to a 
Notification.

So, I agree with Josh that it must be something very NAS-specific, but it's 
highly dubious that it's a good thing.

Then again, if RFC3579 would be updated some time soon so that the behaviour 
is then standardised and not any more vendor-voodoo (keying material stuff is 
under review anyways by the HOKEY wg), and if the drawbacks mentioned in 
there could be solved cleanly, *then* this behaviour could become a good one. 
A very good one even, for those debugging purposes.

Like, concern [1] in RFC3579 section 2.6.5 could be addressed by: the NAS then 
MUST filter out the EAP-Response/Notification packet and not forward it to 
the RADIUS server and treat this EAP conversation as ended.

concern [2] could be addressed with: since the NAS knows all identifiers in 
use for current EAP conversations, it can choose one that is currently not in 
use.

Then again, RFC3748 (EAP) states: 

5.2.  Notification

   Description

      The Notification Type is optionally used to convey a displayable
      message from the authenticator to the peer.  An authenticator MAY
      send a Notification Request to the peer at any time when there is
      no outstanding Request, prior to completion of an EAP
      authentication method. 

, the important part being *prior to completion*. So the only message flow 
that makes sense in this context is

(supplicant)		(NAS)			(RADIUS-Server)

... EAP ...
			    <------------------ Access-Accept with
						EAP-Message and
						Reply-Message
	<--------------- EAP-Req/Notification
			 (containing Reply-M)

	---------------> EAP-Resp/Notification
			
			--- NAS discards EAP-Resp,
			no forward to Server ---

	<--------------- EAP-Success with
			 content of EAP-Message


Is that what you're seeing? In that case, quite cool, but that should be 
somewhat explicitly documented in an update of RFC3579 because it is not 
exactly trivial.

I wonder though why FR permits sending a Reply-Message when an EAP-Message is 
present. I used to think it forbids that for RFC-compliance reasons.

Greetings,

Stefan


>
> Either way it's pretty cool, and the message gets logged in
> /var/log/system.log (On Mac OS X) which has the potential to be useful
> for debugging...
>
> Thanks,
> Arran



-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080103/2f9cbdba/attachment.pgp>

More information about the Freeradius-Users mailing list