about eap_handler

blue_11j at yahoo.co.jp blue_11j at yahoo.co.jp
Tue Jun 24 11:59:31 CEST 2008

Thank you for your reply.

Alan DeKok <aland at deployingradius.com> wrote:

> blue_11j at yahoo.co.jp wrote:
> > but it look like that: 
> >   When radiusd received EAP-Identify request,
> >   eaplist_add(inst, handler) called in eap_authenticate()
> >   in rlm_eap.c,
> >   and the handler is allocated by eap_handler_alloc()
> >   in eap_handler() in eap.c.
>   Hmm...  OK.  So long as one non-identity packet comes through, this
> shouldn't be a problem.

It is the problem that received malicious "EAP Identity DoS attack".

>   But OK, I'll look into fixing that in the next release.

if possible, we want to fix that in FR 1.1.7.
Which way better do you think ?
- in eaplist_add(), expire the eap_handler same as
- if it continue to receive EAP Identity over limit number,
  no more add to list and ignore.
   (if it receive non-identity packet, reset counter).
or other way ...

GANBARE! NIPPON! Chance to win 50,000 Yahoo! Points!

More information about the Freeradius-Users mailing list