18 Sep
2015
18 Sep
'15
9:50 a.m.
Yes, of course it can be used but the point that I was trying to make is that it is decoupled/unrelated because it is not required. Full EAP auth can-and-does take place during re-authentication for some clients, often depending on config. It occurs at a different layer of abstraction. (This is secure and reliable where it does take place.) The User-Name and the Calling-Station-Id are values supplied by a client so they cannot be blindly trusted. Another STA/client can spoof these which would conceptually result in the same Class attribute being returned. It is fundamentally something that is not a robust primitive to be relied upon therefore. Regards, Nick