Issue with EAP authentication on packet loss
Stefan Winter
stefan.winter at restena.lu
Wed Apr 25 14:53:25 CEST 2018
Hi,
> This lets the server "clean up" old cache entries when the *end users system* moves to the next packet.
Yes, that's arguably the more correct thing to do. After all EAP is a
lock-step protocol, and until one side isn't sure that the other side
has taken the next step, it must be prepared to repeat the previous step.
> But... even if we did this, it wouldn't solve the problem of intermediate proxies dropping replies. If they dropped a reply because of a "bad attribute", the next reply will include that attribute, and the proxy will drop it again.
Yes, but: it will then consistently drop.
So far, FreeRADIUS changes the drop to a Reject on second try, which is
even less intuitive than a bad, but consistent behaviour.
> This change would only help with transient networking issues. Which I suspect is pretty much every day for Eduroam. :(
Our backbones are really very well-maintained and error-free :-)
Greetings,
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180425/7d927a33/attachment-0001.sig>
More information about the Freeradius-Users
mailing list