|
There is no such thing as an EAP-Start
packet defined outside of RADIUS. Perhaps you are thinking of EAPoL-Start? However,
EAPoL-Start as defined in IEEE 802.1X-2004 does not contain any data, nor does
it contain an EAP packet. An EAP authenticator can respond to an EAPoL-Start
by sending an EAP-Request/Identity to the peer; there is no reason to send a
RADIUS Access-Request/EAP-Message packet to the RADIUS server unless there is a
desire to bypass the Identity exchange. From: Koehler, Yannick
[mailto:yannick.koehler@hp.com] Hi, I received claim that
Windows 7 sends out EAP-Start not RADIUS packets. Those EAP-Start most
likely are transmitted over a EAPOL packet and our product extract the EAP and
sends it over RADIUS. I was mostly getting up to date with this RFC
because it seems that this is where the EAP-Start got defined. -- Yannick Koehler From: Bernard Aboba
[mailto:bernard_aboba@hotmail.com] Windows 7 does not include a
RADIUS client. So I’m surprised that you are seeing it send RADIUS
packets at all, let alone a RADIUS Access-Request including an EAP-Message
attribute. If a NAS sends an EAP
Identity-Request to an EAP peer, I’d expect the EAP peer to respond with
an EAP Identity-Response. The NAS can then send an Access-Request
with an EAP-Message attribute containing the contents of the
EAP-Response/Identity. Am I missing something? From: Koehler, Yannick
[mailto:yannick.koehler@hp.com] An errata would be useful
because even after your reply the RFC seems even more confusing, this part of
the RFC no more apply then: “ EAP-Start is indicated by sending an EAP-Message attribute with a
length of 2 (no data).” We saw report that Windows 7 was
sending a EAP-Message with length of 2, that is why I am inquiring. But
considering what you just said, the fact that our product sends an
identity-request should force them to send an EAP Identity response and not an
EAP-start. I will pursue my investigation to figure out in which
situation the Windows 7 act like this. -- Yannick Koehler From: Bernard Aboba
[mailto:bernard_aboba@hotmail.com] In the normal case you describe below (where the NAS always
starts off with an EAP-Identity Request) there is no need for the NAS to ever
send an EAP-Start packet to the RADIUS server. This is only useful if the
Identity exchange might be superfluous and the RADIUS server can just start off
with the EAP method Request from the beginning. There are a very limited
number of situations where this would be useful because: a.
The NAS has to route the request to a
RADIUS server without a User-Name attribute because there has been no Identity
Exchange (e.g. only the Calling-Station-Id might be available to be placed in
the User-Name attribute) b.
The RADIUS server has to be prepared to
choose the EAP method based on what is placed in the User-Name attribute, if
anything. There are some limited situations in which this might be useful…
but I’m not aware of much deployment experience. The EAP-Start packet is a RADIUS Access-Request packet
containing an EAP-Message attribute with a single NUL character. So the
length of the EAP-Message attribute is >=3. Might make sense to file an errata to clarify. There is no RADIUS attribute to encapsulate EAPoL, only
EAP-Message, which is used to encapsulate EAP. So there is no way to
send an EAPoL-Start packet to a RADIUS server within an EAP-Message
attribute. If there is a need to convey EAPoL-Start data (e.g. IEEE
802.1X-REV extensions to EAPoL-Start such as NIDs) then you’d need to define a
distinct RADIUS attribute to convey that. From: Koehler, Yannick
[mailto:yannick.koehler@hp.com] Hello, I have read the RFC 3579 and I have some questions
and I was hoping to get some answers from you. In the RFC it says that
the EAP-Start may be represented by an EAP-Message of length 2 (no data).
Yet, the specification of this EAP-Message attribute is defined with a
length >= 3 and that, even in the RFC 3579. Also, I do not follow why
there is an EAP-Start packet is this the same as EAPOL-Start ? And if
not, why sending such an empty packet to a RADIUS server? It seems to me
like it waste a round-trip. My understanding of 802.1x nego is something like
that: Client sends EAPOL-Start
NAS answer EAP-Identity Request Client sends EAP-Identity response
NAS sends RADIUS with EAP identity response to RADIUS
RADIUS reply
NAS forward answer. Client continue exchange. How is the EAP-Start affecting this negotiation and when is
it used, and why? Is there more documentation on this packet? -- Yannick Koehler |