[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Access-Accept & permitted EAP messages



  Reading RFC 3579, I see that EAP-Request isn't permitted in
Access-Accept, but it's silent on EAP-Response.

  I ask this because I've recently seen an implementation where an
invalid Access-Accept is sent in the middle of an EAP session, which
contains EAP-Response.  The NAS implementation is problematic, too, as
it thinks the user is "accepted", and sends Accounting-Request for
that session.

  The Access-Accept doesn't contain EAP-Success or any MPPE keys, so
no wireless traffic should pass, but it's still an odd situation.

  Section 2.6.3 of RFC 3579 talks about combinations of messages that
SHOULD NOT be sent by the RADIUS server.  I don't see EAP-Request or
EAP-Response listed under Access-Accept, which is odd.

  Maybe we want to add something to the issues & fixes, saying "the
only EAP packet allowed in Access-Accept is EAP-Succes".  Any other
EAP messgae MUST be interpreted as a reject"

  if so, I'll submit an official ISSUE.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>