Quick question about RFC 3579 2.6.5
Hi, Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC. In my case (remember the eduroam design thread from a while back), I have several "local" Radius which proxy all request to my central radius, which in turn perform the authn+z for the users, or forward the request to the top level radius if the user do not belong to our organization (eduroam stuff, nothing new so far). So, I would like, in case of Access-Reject of OUR users, logging in OUR schools, to send back a reply-message to the local radius in the outer reply, so the local admin know why its user has been rejected. This would be logged then stripped before the reply reach the NAS. If it's an external user in our network, or one of our users but in an external network, then I won't add the Reply-Message. Would this still be illegal and would I end in jail ? ;) Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
Hi,
Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC.
check RFC 5080 - which updates that RFC. however, your reply message is not going on as part of the EAP conversation....you are sending the reply message to the outer-tunnel as part of the reject...no within the inner-tunnel EAP session...so there shouldnt be any EAP message around (but hey, who knows? ! ;-) ) just run in debug mode (radiusd -X) and check/see what packets and contents you are sending dont worry too much - some RADIUS servers break all the specs with regards to contents of some packets...at least FreeRADIUS gives you the chance to behave ( I assume you are running the attr filter on access requests to keep the contents legal? ;-) ) alan
Thanks for your answer; I've been testing FreerRadius authentication against Active Directory with Microsoft RRAS setting FreeRadius as the RADIUS server for it and the authentication worked and as for the next step I'll go on configuring my Fortigate firewall to use FreeRadius as a RADIUS server; I'll send the output from radiusd -X for you. By the way, right now I'm testing something else called ZeroShell which as well is using FreeRadius (config files at /etc/raddv.v2). It has a nice web interface and includes the accounting feature I'm looking for. Anyone knows how to get it integrated with Active Directory? ----------------------- Regards, Alireza
________________________________ From: "A.L.M.Buxey@lboro.ac.uk" <A.L.M.Buxey@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Friday, January 25, 2013 2:40 PM Subject: Re: Quick question about RFC 3579 2.6.5
Hi,
Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC.
check RFC 5080 - which updates that RFC. however, your reply message is not going on as part of the EAP conversation....you are sending the reply message to the outer-tunnel as part of the reject...no within the inner-tunnel EAP session...so there shouldnt be any EAP message around (but hey, who knows? ! ;-) )
just run in debug mode (radiusd -X) and check/see what packets and contents you are sending
dont worry too much - some RADIUS servers break all the specs with regards to contents of some packets...at least FreeRADIUS gives you the chance to behave ( I assume you are running the attr filter on access requests to keep the contents legal? ;-) )
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 25.01.2013 12:10, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC.
check RFC 5080 - which updates that RFC. however, your reply message is not going on as part of the EAP conversation....you are sending the reply message to the outer-tunnel as part of the reject...no within the inner-tunnel EAP session...so there shouldnt be any EAP message around (but hey, who knows? ! ;-) )
Welle there's an EAP-Message in the Access-Reject with code 0x04 for the failure ;)
dont worry too much - some RADIUS servers break all the specs with regards to contents of some packets...at least FreeRADIUS gives you the chance to behave ( I assume you are running the attr filter on access requests to keep the contents legal? ;-) )
Yeah I do filter everything that comes from NAS and from outside of my eduroam realm. You can't trust people :p I only allow WISPr-Location-Info as this start to be widely used in switzerland when user are roaming :) Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
On 01/25/2013 06:56 AM, Olivier Beytrison wrote:
Would this still be illegal and would I end in jail ? ;)
We do it; it works fine. I'll be honest, I have no idea if it's illegal per spec, but don't really care - denying Reply-Message in Access-Reject/Accept containing EAP-Message doesn't seem useful to me.
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Alireza Goftari -
Olivier Beytrison -
Phil Mayers