aland at nitros9.org
Mon Jun 26 03:59:17 CEST 2006
> > Apparently, the problem is a different RFC interpretation. The EAP
> > implemented in freeradius make a unnecessary check in handle->identity
> > variable.
RFC 3579, Section 2.1, in the second paragraph on page 7 says:
In order to permit non-EAP aware RADIUS proxies to forward the
Access-Request packet, if the NAS initially sends an
EAP-Request/Identity message to the peer, the NAS MUST copy the
contents of the Type-Data field of the EAP-Response/Identity received
from the peer into the User-Name attribute and MUST include the
Type-Data field of the EAP-Response/Identity in the User-Name
attribute in every subsequent Access-Request. ...
This is what FreeRADIUS enforces. The text could not be more clear.
It *does* go on to say:
If the NAS initially sends an EAP-Request for an
authentication method, and the peer identity cannot be determined
from the EAP-Response, then the User-Name attribute SHOULD be
determined by another means. As noted in [RFC2865] Section 5.6, it
is recommended that Access-Requests use the value of the
Calling-Station-Id as the value of the User-Name attribute.
Note that this text does NOT contradict the previous text.
Note also that the patch you supplied changes the behavior for
everyone else, which is not nice.
More information about the Freeradius-Devel