Can an EAP-over-RADIUS request ever result in an Access-Reject?
joe27256 at gmail.com
Mon Jan 27 16:54:08 CET 2020
The reason for that question is based on RFC 3579, section 3.2:
It [Message-Authenticator] MUST be used in any Access-Request, Access-
Accept, Access-Reject or Access-Challenge that includes an EAP-Message
attribute. A RADIUS server receiving an Access-Request with a Message-
Authenticator attribute present MUST calculate the correct value of the
Message-Authenticator and silently discard the packet if it does not match
the value sent.
What this would mean in practice is that any EAP authentication
request with an incorrect password will be silently dropped, so
there's no possibility of ever seeing an Access-Reject. I know what
the Message-Authenticator is meant for, but since I'm just using EAP
as a transport layer for a TLS tunnel its presence is irrelevant.
Is this behavior really how it works? How can you use an
authentication mechanism for which the behavior for an incorrect
password is indistinguishable from a network error?
More information about the Freeradius-Users