On 02/17/2014 05:16 PM, Garry Shtern wrote: > Would it make sense not modify Radiator behavior to only send reject if > the OpenSSL returns mismatch rather than unexpected record?
Then there would need to be a correct request coming in later that allows the authentication to continue? That is, if the request is not rejected and can not be challenged, then the option would be to wait for the real request? > This way if > there is a packet loss or intermittent client issues, the client doesn't > get kicked off the net. I would say it might be a better idea to see how to minimise the number of unexpected messages. Would that be an option to explore? Thanks, Heikki > Thanks. > > > > Sent with Good (www.good.com) > > > -----Original Message----- > *From: *Heikki Vatiainen [[email protected] <mailto:[email protected]>] > *Sent: *Monday, February 17, 2014 02:22 PM Coordinated Universal Time > *To: *[email protected] > *Subject: *Re: [RADIATOR] (P)EAP flow > > On 02/14/2014 07:17 PM, Garry Shtern wrote: >> I have noticed that if Radiator receives a midstream EAP exchange >> message, it responds back with a CHALLENGE. > > I would expect something like this with PEAP. > > ERR: EAP TLS error: -1, 1, 8465, 13062: 1 - error:140940F5:SSL > routines:SSL3_READ_BYTES:unexpected record > > Then an Access-Reject is sent back to the client. > >> I am trying to understand >> what exactly happens at this point. Does the Supplicant respond to the >> challenge with a brand new exchange or just retransmits whatever packet >> it sent before? If it’s the latter, is there any way to force a >> supplicant to re-start the negotiation, perhaps with a crafted CHALLENGE? > > The supplicant probably restarts, but that's only because it got an > unexpected response. I most cases I would expect that a midstream EAP > message results as a some sort of error on Radiator side. > > Thanks, > Heikki > > -- > Heikki Vatiainen <[email protected]> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator > -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
