[Help] Is that possible to change the reject message that appears at the Windows Pop Up
David Mitton
david at mitton.com
Thu Mar 21 20:56:37 CET 2013
Quoting Arran Cudbard-Bell <a.cudbardb at freeradius.org>:
>
> On 21 Mar 2013, at 13:26, Jouni Malinen <jkmalinen at gmail.com> wrote:
>
>> On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell
>> <a.cudbardb at freeradius.org> wrote:
>>> The old HP switches used to convert the Reply-Message into an
>>> EAP-Notification and send it after the EAP-Success or EAP-Failure.
>>
>> This is not compliant with the EAP specification (EAP-Notification
>> needs to be sent prior to completion of an EAP authentication method).
>> Sending it after EAP-Success or EAP-Failure would look like an attempt
>> to initiate another authentication exchange.
>
> Their 802.1X implementation was pre RFC3579. In newer firmware
> releases this has been fixed.
>
>>> It may be possible to send it before the EAP-Success/EAP-Failure
>>> message for some EAP methods, but chances are not all supplicants
>>> will like it, and most probably won't display anything.
>>
>> EAP-Notification is not really supported in general and even the
>> specification does not really require displaying anything from this
>> message to the user.. There is also no way of authenticating this
>> information, so this would not be ideal for authorization failures.
>
> Agreed. But in the absence of a standards solution it might be
> interesting to experiment and see how supplicants respond to this.
>
My RSA Windows EAP module sends EAP Notification messages under 4
different error circumstances. These are typically retry-able input
problems. It was the default until the boffins that took over EAP for
Windows 7 broke their code. XP and Vista worked fine, they took the
request and responded with a blank response. No user visible message
resulted. Win7 didn't respond at all, which caused the protocol to
break. They patched it when I pointed out the problem. But I flipped
off the default, don't know if/when that was released. There is a
registry key that controls it.
Dave.
> -Arran
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list