sending Challenge + EAP-Notification before Reject?
Alan DeKok
aland at deployingradius.com
Tue Feb 18 18:19:43 CET 2014
Stefan Winter wrote:
> recently, RFC4284 was brought to my attention, which speaks of ways to
> notify EAP peers that there is no service for them - with a displayable
> message as EAP-Notification in a Access-Challenge before the final
> EAP-Failure in a Reject.
IIRC, some switches will close the port when they receive an
EAP-Notification in an Access-Challenge.
> Is this in any way doable with FreeRADIUS?
Yes. Arran was doing this a while ago, which is how he ran into the
above problem.
> I'm thinking of two scenarios primarily:
>
> * FreeRADIUS proxy can't reach home server, so writes "Sorry, your home
> server is unreachable" in a Challenge+EAP-Notification and after the
> next Request then crafts Reject.
>
> * FreeRADIUS sees the realm, figures that it's not wanted, so writes "We
> don't serve that realm here." and then after the subsequent Request
> sends Access-Reject.
I thought that the Reply-Message in an Access-Reject could also be
turned into an EAP-Notification by the NAS. I can't recall where I saw
that, though. But it would make sense.
> I could also imagine that it could signal its own module failures as
> reason; e.g. if an rlm_sql doesn't work, instead of an immediate reject
> or do_not_reply it could send an extra round with "Unable to
> authenticate you: rlm_sql failed. Try again later"; and only then the
> Reject.
>
> I have no clue how to configure such a behaviour. Is it possible at all?
Probably with some magic. But will the supplicants display the
notification to the end user? I doubt it.
Alan DeKok.
More information about the Freeradius-Users
mailing list