eap id bug

Alan DeKok aland at ox.org
Thu Jul 14 01:26:43 CEST 2005


DALE REAMER <dale_reamer at prodigy.net> wrote:
> When using freeradius with wpa_supplicant I have noticed freeradius
> does not bump the EAP id when sending back the Access-Accept
> packet. wpa_supplicant notices this and has a work around. Will the
> WPA drop this packet (it is important because it has the keys in the
> attributes). Has anyone reported this bug?

  It's not a bug in FreeRADIUS.  See the following dicussion on the
EAP working group, which is defining these standards.

http://mail.frascone.com/pipermail/eap/2004-December/003069.html
...
> Section 4.1 is about Requests and Responses, it does not cover
> EAP-Success. However, now that I looked again more closely, there is
> actually text in section 4.2 that seems to cover this:
>
>   Identifier
>
>      The Identifier field is one octet and aids in matching replies to
>      Responses.  The Identifier field MUST match the Identifier field
>      of the Response packet that it is sent in response to.
>
> (this is for Success and Failure)
>
> In other words, there are existing EAP authenticators that do not match
> the behavior defined in RFC 3748 and draft-ietf-eap-statemachine-05.txt.
> RFC 2284 seemed to have the same text, so this is not even a new
> requirement.

  For a suggest fix, that would apply to wpa_supplicant, see:

http://mail.frascone.com/pipermail/eap/2004-December/003071.html

> OK. In order to limit the effect, the workaround could be changed to be
> (reqId == lastId) || (reqId == (lastId + 1) & 0xff) which seems to cover
> all the EAP implementations I have seen in RADIUS authentication
> servers. 

  Hope this helps.

  Alan DeKok.



More information about the Freeradius-Users mailing list