Heikki, Would it make sense not modify Radiator behavior to only send reject if the OpenSSL returns mismatch rather than unexpected record? This way if there is a packet loss or intermittent client issues, the client doesn't get kicked off the net.
Thanks. Sent with Good (www.good.com) -----Original Message----- From: Heikki Vatiainen [[email protected]<mailto:[email protected]>] Sent: Monday, February 17, 2014 02:22 PM Coordinated Universal Time To: [email protected] Subject: Re: [RADIATOR] (P)EAP flow On 02/14/2014 07:17 PM, Garry Shtern wrote: > I have noticed that if Radiator receives a midstream EAP exchange > message, it responds back with a CHALLENGE. I would expect something like this with PEAP. ERR: EAP TLS error: -1, 1, 8465, 13062: 1 - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record Then an Access-Reject is sent back to the client. > I am trying to understand > what exactly happens at this point. Does the Supplicant respond to the > challenge with a brand new exchange or just retransmits whatever packet > it sent before? If it’s the latter, is there any way to force a > supplicant to re-start the negotiation, perhaps with a crafted CHALLENGE? The supplicant probably restarts, but that's only because it got an unexpected response. I most cases I would expect that a midstream EAP message results as a some sort of error on Radiator side. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
