Reply-message and supplicant

Alexander Clouter alex at digriz.org.uk
Mon Jun 8 16:13:25 CEST 2009


Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk> wrote:
> On 8/6/09 13:26, David Mitton wrote:
>> A couple comments on this thread...
>>
>> The problem with including Reply message text in EAP is that the Reply
>> attribute comes in the Accept or Reject message, which will be carrying
>> the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry
>> attributes, so a Reply would have to be turned into a Notification
>> message by a smart AP and sent as an exchange prior to the Success/Fail.
>> That doesn't look likely.
> 
> ProCurve wired switches do this in the earlier software versions < 
> H.10.74. They actually send the EAP-Notification *after* the 
> EAP-Success or EAP-Failure which is what breaks WPA-Supplicant.
> 
> As far as its state machines are concerned the EAP-Success/EAP-Failure 
> messages signifies the end of authentication... so if it receives an 
> EAP-Notification message *after* the EAP-Success/EAP-Failure, it sees 
> it as the NAS requesting to restart authentication.
>
http://tools.ietf.org/html/rfc3748#section-5.2

Implies that if you send EAP-Notification with an EAP-Success/Failure 
you are being a bad bad boy. However that is me reading 'prior to 
completion' meaning any packet before EAP-Success/Failure which does 
not include that final packet.
 
Cheers

-- 
Alexander Clouter
.sigmonster says: "MOKE DAT YIGARETTE"
                  		-- "The Last Coin", James P. Blaylock




More information about the Freeradius-Users mailing list