bug report

Alan DeKok aland at nitros9.org
Mon Jun 26 03:59:17 CEST 2006

> > Apparently, the problem is a different RFC interpretation. The EAP 
> > implemented in freeradius make a unnecessary check in handle->identity 
> > variable.

  RFC 3579, Section 2.1, in the second paragraph on page 7 says:

   In order to permit non-EAP aware RADIUS proxies to forward the
   Access-Request packet, if the NAS initially sends an
   EAP-Request/Identity message to the peer, the NAS MUST copy the
   contents of the Type-Data field of the EAP-Response/Identity received
   from the peer into the User-Name attribute and MUST include the
   Type-Data field of the EAP-Response/Identity in the User-Name
   attribute in every subsequent Access-Request.   ...

  This is what FreeRADIUS enforces.  The text could not be more clear.

  It *does* go on to say:

   If the NAS initially sends an EAP-Request for an
   authentication method, and the peer identity cannot be determined
   from the EAP-Response, then the User-Name attribute SHOULD be
   determined by another means.  As noted in [RFC2865] Section 5.6, it
   is recommended that Access-Requests use the value of the
   Calling-Station-Id as the value of the User-Name attribute.

  Note that this text does NOT contradict the previous text.

  Note also that the patch you supplied changes the behavior for
everyone else, which is not nice.

  Alan DeKok.

More information about the Freeradius-Devel mailing list