How I can properly send error reasons for EAP requests Access-Reject?
Matthew Newton
mcn at freeradius.org
Wed Aug 3 15:31:32 UTC 2022
On 03/08/2022 16:24, work vlpl wrote:
> I have a requirement to provide the reason why authentication failed.
> For non-EAP clients, it is easy just include Reply-Message in
> Access-Reject packet. But for EAP clients RFC says Reply-Message
> should not be sent with EAP-Message together.
Because the NAS gets the Reply-Message attribute, not the end user
device, which only sees the EAP transaction.
So Reply-Message will never get to the user.
> And I've read RFC 3579 more.
No EAP supplicants display a message back to the user.
So there's no point worrying what any of the RFCs say. If the
supplicants being used don't do it, then you can't do it.
--
Matthew
More information about the Freeradius-Users
mailing list