On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell <[email protected]> wrote: > The old HP switches used to convert the Reply-Message into an > EAP-Notification and send it after the EAP-Success or EAP-Failure.
This is not compliant with the EAP specification (EAP-Notification needs to be sent prior to completion of an EAP authentication method). Sending it after EAP-Success or EAP-Failure would look like an attempt to initiate another authentication exchange. > It may be possible to send it before the EAP-Success/EAP-Failure message for > some EAP methods, but chances are not all supplicants will like it, and most > probably won't display anything. EAP-Notification is not really supported in general and even the specification does not really require displaying anything from this message to the user.. There is also no way of authenticating this information, so this would not be ideal for authorization failures. - Jouni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
