Send response to client

[Arran Cudbard-Bell]

ProCurve products used to encapsulate the Reply-Message in an EAP-Notification and send it after sending the EAP-Success packet. Windows and Mac clients ignored the packet (actually Macs printed the contents in one of the log files, which was kinda cool), but WPA_Supplicant took it to mean that the switch wanted to restart authentication (which is technically correct).

Anyway, the side effect of this was that every 60 seconds or so, every 802.1X authenticated Linux Box on the network re-authenticated.

-Arran

On Jun 27, 2011, at 3:35 PM, David Mitton wrote:

> It's even worse than that.
> 
> Windows XP and Vista supplicants will respond to an EAP notification message (after dropping it on the ground) with the appropriate acknowledgement.   The first release of WIndows 7 wouldn't even do that.  So if an EAP server sent a Notification message, the state machine would grind to a halt.
> There was a hotfix, hopefully it was integrated into the patch stream by now.
> 
> Dave. (former user of Notification messages)
> 
> Quoting Arran Cudbard-Bell <a.cudbardb at freeradius.org>:
> 
>> 
>> On Jun 27, 2011, at 7:55 AM, Christ Schlacta wrote:
>> 
>>> is it at all possible to send a message to a windows 7 or windows  vista client that the client is guaranteed to see when  authentication is rejected?
>> 
>> Not using EAP no. There's a special EAP-Message type of  EAP-Notification which is meant to contain a human interpreted  message, but only a few supplicants will actually display it, and  non of those are bundled Windows Supplicants.
>> 
>> -Arran
>> 
>> Arran Cudbard-Bell
>> a.cudbardb at freeradius.org
>> 
>> RADIUS - Half the complexity of Diameter
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See  http://www.freeradius.org/list/users.html
>> 
> 
> 

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter