EAP post auth reject and access-challenge
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jun 10 17:01:52 CEST 2013
On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote:
> Hi,
>
> Just wondered if someone could explain the reason why, on rejection
> of EAP authentication, an access challenge request is sent out to the
> NAS, and whether it’s something we can control or not?
I assume you're referring to the fact that the inner tunnel reject is
sent as an outer access-challenge?
The packet flow is this:
C: Access-Request EAP / TLS-setup
S: Access-Challenge EAP / TLS-setup
...
C: Access-Request EAP / TLS / inner access-request
S: Access-Challenge EAP / TLS / inner access-reject
C: Access-Request EAP / TLS [ack]
S: Access-Reject EAP / reject
Basically, the protocols send the inner reject as a TLS frame, so that
the client can't be tricked by a fake reject. The client then ACKs it,
and the server then sends the RADIUS-level reject.
So no, you can't turn it off - it's part of the protocol specifications.
Why is this a problem for you?
More information about the Freeradius-Users
mailing list