>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:
Rafa> Hi Sam: El 16/03/2012, a las 15:51, Sam Hartman escribió:
>>>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:
>>
>>
Rafa> Personally, I would send a GSS token with the EAP Success and
Rafa> the error code Authorization failed to the initiator. This
Rafa> would allow the initiator to know that authentication was ok
Rafa> but authorization failed. Thus, the initiator does not get
Rafa> confused at all about what happened.
>>
>> I'd just send the error. EAP success doesn't actually allow you
>> to know much of anything because it's pnot integrity-protected
>> from the EAP server.
Rafa> It is just a matter to be coherent with each part. If the EAP
Rafa> authentication is successful why do not to state so?
Because it's none of the peer's business whether the access is being
denied for an authorization or authentication reason. Also, peers have
to be able to deal with the case where the EAP message is absent, so
that code path is going to be better tested.
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
