Reply-Message and Eap

Sam Hartman hartmans at
Wed Mar 4 14:19:30 CET 2015

>>>>> "Alan" == Alan DeKok <aland at> writes:

    >> would it be reasonable to update policy to prefer keeping
    >> Reply-Message over replacing Reply-Message with an EAP failure in
    >> the case where we're handling a reject that currently has no EAP
    >> message at all?  I.E. we rejected before eap got called in
    >> authorize/authenticate, or unlang removed Eap-Message.

    Alan>   Probably.  Maybe.

    Alan>   It all depends on what the NAS and supplicants do.  After
    Alan> ~20 years of doing this, I’m not going to guess what kind of
    Alan> crazy thing people do.

    Alan>   All I can say is try it, and see if it works.

I know what my code will do:-)  The behaviors seem reasonable.  If we
get an access reject our NAS will always generate a protocol error of
some kind to our supplicant at the lower layer.

So, it sounds like doing this for ABFAb would be OK especially if I have
confidence that ABFAB NASes and supplicants won't suck, but a global
change wouldn't be so good of an idea unless I had some way to survey
the behavior of some huge fraction of the market.

In that case  I'll confine patches to the sample abfab policy.


More information about the Freeradius-Devel mailing list