"Alan" == Alan DeKok <aland@deployingradius.com> writes:
>> would it be reasonable to update policy to prefer keeping >> Reply-Message over replacing Reply-Message with an EAP failure in >> the case where we're handling a reject that currently has no EAP >> message at all? I.E. we rejected before eap got called in >> authorize/authenticate, or unlang removed Eap-Message. Alan> Probably. Maybe. Alan> It all depends on what the NAS and supplicants do. After Alan> ~20 years of doing this, I’m not going to guess what kind of Alan> crazy thing people do. Alan> All I can say is try it, and see if it works. I know what my code will do:-) The behaviors seem reasonable. If we get an access reject our NAS will always generate a protocol error of some kind to our supplicant at the lower layer. So, it sounds like doing this for ABFAb would be OK especially if I have confidence that ABFAB NASes and supplicants won't suck, but a global change wouldn't be so good of an idea unless I had some way to survey the behavior of some huge fraction of the market. In that case I'll confine patches to the sample abfab policy. --Sam