Can RADIUS indicate a standardised reason for access rejection?
Alan DeKok
aland at deployingradius.com
Thu Aug 18 13:30:48 UTC 2022
On Aug 18, 2022, at 9:10 AM, Michal Moravec <michal.moravec at macadmin.cz> wrote:
>
> Thank you for very insightful responses.
>
> One other thing I have noticed is that after the (Cisco Meraki) Access Point receives Access-Reject message from RADIUS it will disassociate the supplicant sending reason code 8 "Disassociated because sending STA is leaving or has left Basic Service Set (BSS)."
> https://www.cisco.com/assets/sol/sb/WAP371_Emulators/WAP371_Emulator_v1-0-1-5/help/Apx_ReasonCodes2.html <https://www.cisco.com/assets/sol/sb/WAP371_Emulators/WAP371_Emulator_v1-0-1-5/help/Apx_ReasonCodes2.html>
> There is a defined reason code (23) which seems to be more appropriate for the situation: "IEEE 802.1X authentication failed."
There is no way in RADIUS to tell the AP to send that message.
> Do you know whether this reason code should be used?
It should be used.
> If so what is the common practice? Do vendors do it?
I've never looked at the packet traces to tell. I suspect it is sent, but it doesn't matter.
The supplicant already knows that the authentication failed, because it gets an EAP failure packet. What is missing is the ability to send a *reason* for the failure.
> However even with answer to that I don't know if this would help in my case since I can not inspect Apple Wi-Fi (Airport) code because it is closed-source (unlike kernel and 802.1X client).
It runs NetBSD, but it's still closed.
Alan DeKok.
More information about the Freeradius-Users
mailing list