How I can properly send error reasons for EAP requests Access-Reject?
mcn at freeradius.org
Wed Aug 3 15:31:32 UTC 2022
On 03/08/2022 16:24, work vlpl wrote:
> I have a requirement to provide the reason why authentication failed.
> For non-EAP clients, it is easy just include Reply-Message in
> Access-Reject packet. But for EAP clients RFC says Reply-Message
> should not be sent with EAP-Message together.
Because the NAS gets the Reply-Message attribute, not the end user
device, which only sees the EAP transaction.
So Reply-Message will never get to the user.
> And I've read RFC 3579 more.
No EAP supplicants display a message back to the user.
So there's no point worrying what any of the RFCs say. If the
supplicants being used don't do it, then you can't do it.
More information about the Freeradius-Users