Reply-Message and Eap
hartmans at mit.edu
Wed Mar 4 14:19:30 CET 2015
>>>>> "Alan" == Alan DeKok <aland at deployingradius.com> writes:
>> would it be reasonable to update policy to prefer keeping
>> Reply-Message over replacing Reply-Message with an EAP failure in
>> the case where we're handling a reject that currently has no EAP
>> message at all? I.E. we rejected before eap got called in
>> authorize/authenticate, or unlang removed Eap-Message.
Alan> Probably. Maybe.
Alan> It all depends on what the NAS and supplicants do. After
Alan> ~20 years of doing this, I’m not going to guess what kind of
Alan> crazy thing people do.
Alan> All I can say is try it, and see if it works.
I know what my code will do:-) The behaviors seem reasonable. If we
get an access reject our NAS will always generate a protocol error of
some kind to our supplicant at the lower layer.
So, it sounds like doing this for ABFAb would be OK especially if I have
confidence that ABFAB NASes and supplicants won't suck, but a global
change wouldn't be so good of an idea unless I had some way to survey
the behavior of some huge fraction of the market.
In that case I'll confine patches to the sample abfab policy.
More information about the Freeradius-Devel