Reply-message and supplicant
Alexander Clouter
alex at digriz.org.uk
Mon Jun 8 16:13:25 CEST 2009
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk> wrote:
> On 8/6/09 13:26, David Mitton wrote:
>> A couple comments on this thread...
>>
>> The problem with including Reply message text in EAP is that the Reply
>> attribute comes in the Accept or Reject message, which will be carrying
>> the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry
>> attributes, so a Reply would have to be turned into a Notification
>> message by a smart AP and sent as an exchange prior to the Success/Fail.
>> That doesn't look likely.
>
> ProCurve wired switches do this in the earlier software versions <
> H.10.74. They actually send the EAP-Notification *after* the
> EAP-Success or EAP-Failure which is what breaks WPA-Supplicant.
>
> As far as its state machines are concerned the EAP-Success/EAP-Failure
> messages signifies the end of authentication... so if it receives an
> EAP-Notification message *after* the EAP-Success/EAP-Failure, it sees
> it as the NAS requesting to restart authentication.
>
http://tools.ietf.org/html/rfc3748#section-5.2
Implies that if you send EAP-Notification with an EAP-Success/Failure
you are being a bad bad boy. However that is me reading 'prior to
completion' meaning any packet before EAP-Success/Failure which does
not include that final packet.
Cheers
--
Alexander Clouter
.sigmonster says: "MOKE DAT YIGARETTE"
-- "The Last Coin", James P. Blaylock
More information about the Freeradius-Users
mailing list