Quoting Arran Cudbard-Bell <a.cudba...@freeradius.org>:
On 21 Mar 2013, at 13:26, Jouni Malinen <jkmali...@gmail.com> wrote:
On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell
<a.cudba...@freeradius.org> wrote:
The old HP switches used to convert the Reply-Message into an
EAP-Notification and send it after the EAP-Success or EAP-Failure.
This is not compliant with the EAP specification (EAP-Notification
needs to be sent prior to completion of an EAP authentication method).
Sending it after EAP-Success or EAP-Failure would look like an attempt
to initiate another authentication exchange.
Their 802.1X implementation was pre RFC3579. In newer firmware
releases this has been fixed.
It may be possible to send it before the EAP-Success/EAP-Failure
message for some EAP methods, but chances are not all supplicants
will like it, and most probably won't display anything.
EAP-Notification is not really supported in general and even the
specification does not really require displaying anything from this
message to the user.. There is also no way of authenticating this
information, so this would not be ideal for authorization failures.
Agreed. But in the absence of a standards solution it might be
interesting to experiment and see how supplicants respond to this.
My RSA Windows EAP module sends EAP Notification messages under 4
different error circumstances. These are typically retry-able input
problems. It was the default until the boffins that took over EAP for
Windows 7 broke their code. XP and Vista worked fine, they took the
request and responded with a blank response. No user visible message
resulted. Win7 didn't respond at all, which caused the protocol to
break. They patched it when I pointed out the problem. But I flipped
off the default, don't know if/when that was released. There is a
registry key that controls it.
Dave.
-Arran
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html