Quick question about RFC 3579 2.6.5

Olivier Beytrison olivier at heliosnet.org
Sat Jan 26 11:11:42 CET 2013

On 25.01.2013 12:10, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>> Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a
>> Reply-Message. I understand the point on this based on the RFC.
> check RFC 5080 - which updates that RFC.  however, your reply message is
> not going on as part of the EAP conversation....you are sending the reply
> message to the outer-tunnel as part of the reject...no within the inner-tunnel
> EAP session...so there shouldnt be any EAP message around (but hey, who knows? ! ;-) )

Welle there's an EAP-Message in the Access-Reject with code 0x04 for the 
failure ;)

> dont worry too much - some RADIUS servers break all the specs with regards to
> contents of some packets...at least FreeRADIUS gives you the chance to behave
> ( I assume you are running the attr filter on access requests to keep the contents
> legal? ;-) )

Yeah I do filter everything that comes from NAS and from outside of my 
eduroam realm. You can't trust people :p I only allow 
WISPr-Location-Info as this start to be widely used in switzerland when 
user are roaming :)


  Olivier Beytrison
  Network & Security Engineer, HES-SO Fribourg
  Mail: olivier at heliosnet.org

More information about the Freeradius-Users mailing list