On 21 Mar 2013, at 15:56, David Mitton <da...@mitton.com> wrote: > Quoting Arran Cudbard-Bell <a.cudba...@freeradius.org>: > >> >> On 21 Mar 2013, at 13:26, Jouni Malinen <jkmali...@gmail.com> wrote: >> >>> On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell >>> <a.cudba...@freeradius.org> wrote: >>>> The old HP switches used to convert the Reply-Message into an >>>> EAP-Notification and send it after the EAP-Success or EAP-Failure. >>> >>> This is not compliant with the EAP specification (EAP-Notification >>> needs to be sent prior to completion of an EAP authentication method). >>> Sending it after EAP-Success or EAP-Failure would look like an attempt >>> to initiate another authentication exchange. >> >> Their 802.1X implementation was pre RFC3579. In newer firmware releases >> this has been fixed. >> >>>> It may be possible to send it before the EAP-Success/EAP-Failure message >>>> for some EAP methods, but chances are not all supplicants will like it, >>>> and most probably won't display anything. >>> >>> EAP-Notification is not really supported in general and even the >>> specification does not really require displaying anything from this >>> message to the user.. There is also no way of authenticating this >>> information, so this would not be ideal for authorization failures. >> >> Agreed. But in the absence of a standards solution it might be interesting >> to experiment and see how supplicants respond to this. >> > > My RSA Windows EAP module sends EAP Notification messages under 4 different > error circumstances. These are typically retry-able input problems. It was > the default until the boffins that took over EAP for Windows 7 broke their > code. XP and Vista worked fine, they took the request and responded with a > blank response. No user visible message resulted. Win7 didn't respond at > all, which caused the protocol to break. They patched it when I pointed out > the problem. But I flipped off the default, don't know if/when that was > released. There is a registry key that controls it.
Interesting. OSX does a similar thing, but it logs the notification, which can be very helpful if you're on the helpdesk and trying to diagnose issues. I wonder if Windows also does the silent logging. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html