Quick question about RFC 3579 2.6.5

Olivier Beytrison olivier at heliosnet.org
Fri Jan 25 07:56:54 CET 2013


Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a
Reply-Message. I understand the point on this based on the RFC.

In my case (remember the eduroam design thread from a while back), I
have several "local" Radius which proxy all request to my central
radius, which in turn perform the authn+z for the users, or forward the
request to the top level radius if the user do not belong to our
organization (eduroam stuff, nothing new so far).

So, I would like, in case of Access-Reject of OUR users, logging in OUR
schools, to send back a reply-message to the local radius in the outer
reply, so the local admin know why its user has been rejected. This
would be logged then stripped before the reply reach the NAS.
If it's an external user in our network, or one of our users but in an
external network, then I won't add the Reply-Message.

Would this still be illegal and would I end in jail ? ;)


 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org

More information about the Freeradius-Users mailing list