Reply-message and supplicant

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Mon Jun 8 14:47:38 CEST 2009


On 8/6/09 13:26, David Mitton wrote:
> A couple comments on this thread...
>
> The problem with including Reply message text in EAP is that the Reply
> attribute comes in the Accept or Reject message, which will be carrying
> the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry
> attributes, so a Reply would have to be turned into a Notification
> message by a smart AP and sent as an exchange prior to the Success/Fail.
> That doesn't look likely.

ProCurve wired switches do this in the earlier software versions < H.10.74. They actually send the EAP-Notification *after* the EAP-Success or EAP-Failure which is what breaks WPA-Supplicant.

As far as its state machines are concerned the EAP-Success/EAP-Failure messages signifies the end of authentication... so if it receives an EAP-Notification message *after* the 
EAP-Success/EAP-Failure, it sees it as the NAS requesting to restart authentication.

>
> An EAP method can send it's own Notification message including any text
> it wants. This will get wrapped in RADIUS with an EAP message attribute
> in an Access-Challenge, and go the normal path. The next problem is
> getting the supplicant to do anything with it, like show the user.
>

WPA_Supplicant shows the contents of EAP-Notifications, the Mac OSX supplicant logs the message to /var/system.log, windows supplicant largely ignores them.

> This can be a problem if your supplicant is Windows. The Windows
> wireless EAP system silently discards EAP Notification messages on XP.
> On Vista, an EAPHost API method can get them if they ask. A RasEap API
> method is SOL, because they are discarded and not responded to, breaking
> the protocol. (Ask me how I know ;^} ) Look for a forthcoming patch for
> Vista.
>

Arran
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list