EAP post auth reject and access-challenge
Hi, Just wondered if someone could explain the reason why, on rejection of EAP authentication, an access challenge request is sent out to the NAS, and whether it's something we can control or not? Thanks Andy
On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
Just wondered if someone could explain the reason why, on rejection of EAP authentication, an access challenge request is sent out to the NAS, and whether it’s something we can control or not?
I assume you're referring to the fact that the inner tunnel reject is sent as an outer access-challenge? The packet flow is this: C: Access-Request EAP / TLS-setup S: Access-Challenge EAP / TLS-setup ... C: Access-Request EAP / TLS / inner access-request S: Access-Challenge EAP / TLS / inner access-reject C: Access-Request EAP / TLS [ack] S: Access-Reject EAP / reject Basically, the protocols send the inner reject as a TLS frame, so that the client can't be tricked by a fake reject. The client then ACKs it, and the server then sends the RADIUS-level reject. So no, you can't turn it off - it's part of the protocol specifications. Why is this a problem for you?
participants (2)
-
Franks Andy (RLZ) IT Systems Engineer -
Phil Mayers