|
Windows 7 does not include a
RADIUS client. So I’m surprised that you are seeing it send RADIUS packets at
all, let alone a RADIUS Access-Request including an EAP-Message attribute. If a NAS sends an EAP Identity-Request
to an EAP peer, I’d expect the EAP peer to respond with an EAP
Identity-Response. The NAS can then send an Access-Request with an
EAP-Message attribute containing the contents of the EAP-Response/Identity. Am I missing something? From: Koehler, Yannick
[mailto:yannick.koehler@hp.com] An errata would be useful
because even after your reply the RFC seems even more confusing, this part of
the RFC no more apply then: “ EAP-Start is indicated by sending an EAP-Message attribute with a
length of 2 (no data).” We saw report that Windows 7 was
sending a EAP-Message with length of 2, that is why I am inquiring. But
considering what you just said, the fact that our product sends an
identity-request should force them to send an EAP Identity response and not an
EAP-start. I will pursue my investigation to figure out in which
situation the Windows 7 act like this. -- Yannick Koehler From: Bernard Aboba
[mailto:bernard_aboba@hotmail.com] In the normal case you describe below (where the NAS always
starts off with an EAP-Identity Request) there is no need for the NAS to ever
send an EAP-Start packet to the RADIUS server. This is only useful if the
Identity exchange might be superfluous and the RADIUS server can just start off
with the EAP method Request from the beginning. There are a very limited
number of situations where this would be useful because: a.
The NAS has to route the request to a
RADIUS server without a User-Name attribute because there has been no Identity
Exchange (e.g. only the Calling-Station-Id might be available to be placed in
the User-Name attribute) b.
The RADIUS server has to be prepared to
choose the EAP method based on what is placed in the User-Name attribute, if
anything. There are some limited situations in which this might be useful…
but I’m not aware of much deployment experience. The EAP-Start packet is a RADIUS Access-Request packet
containing an EAP-Message attribute with a single NUL character. So the
length of the EAP-Message attribute is >=3. Might make sense to file an errata to clarify. There is no RADIUS attribute to encapsulate EAPoL, only
EAP-Message, which is used to encapsulate EAP. So there is no way
to send an EAPoL-Start packet to a RADIUS server within an EAP-Message
attribute. If there is a need to convey EAPoL-Start data (e.g. IEEE
802.1X-REV extensions to EAPoL-Start such as NIDs) then you’d need to define a
distinct RADIUS attribute to convey that. From: Koehler, Yannick
[mailto:yannick.koehler@hp.com] Hello, I have read the RFC 3579 and I have some questions
and I was hoping to get some answers from you. In the RFC it says that
the EAP-Start may be represented by an EAP-Message of length 2 (no data).
Yet, the specification of this EAP-Message attribute is defined with a
length >= 3 and that, even in the RFC 3579. Also, I do not follow why
there is an EAP-Start packet is this the same as EAPOL-Start ? And if
not, why sending such an empty packet to a RADIUS server? It seems to me
like it waste a round-trip. My understanding of 802.1x nego is something like
that: Client sends EAPOL-Start
NAS answer EAP-Identity Request Client sends EAP-Identity response
NAS sends RADIUS with EAP identity response to RADIUS
RADIUS reply
NAS forward answer. Client continue exchange. How is the EAP-Start affecting this negotiation and when is
it used, and why? Is there more documentation on this packet? -- Yannick Koehler |