Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-23 Thread Alan DeKok
On Aug 23, 2020, at 12:52 PM, Mohit Sethi M wrote: > Well. I am referring to the text from the RFC 3579: "In order to avoid > retransmissions by the peer, the Access-Reject SHOULD include an > EAP-Response/Nak packet indicating no preferred method, encapsulated > within EAP-Message

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-23 Thread Mohit Sethi M
Hi again, On 8/23/20 7:12 PM, Alan DeKok wrote: > On Aug 23, 2020, at 9:48 AM, Mohit Sethi M wrote: >> Sorry, but you are missing context here. The discussion was no longer >> about sending an EAP failure when no suitable EAP methods are available. >> Terry and I were discussing the direction of

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-23 Thread Alan DeKok
On Aug 23, 2020, at 9:48 AM, Mohit Sethi M wrote: > Sorry, but you are missing context here. The discussion was no longer > about sending an EAP failure when no suitable EAP methods are available. > Terry and I were discussing the direction of NAK messages in an EAP > conversation. I

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-23 Thread Mohit Sethi M
Hi Alan, On 8/21/20 3:50 PM, Alan DeKok wrote: > On Aug 21, 2020, at 3:27 AM, Mohit Sethi M > wrote: >> Sorry for nitpicking here. But it is important to distinguish the two >> components that comprise a AAA server: RADIUS server and EAP server. RFC >> 3579 briefly alludes to this difference

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-21 Thread Alan DeKok
On Aug 21, 2020, at 3:27 AM, Mohit Sethi M wrote: > Sorry for nitpicking here. But it is important to distinguish the two > components that comprise a AAA server: RADIUS server and EAP server. RFC > 3579 briefly alludes to this difference and uses different terms for a > RADIUS server and an

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-21 Thread Mohit Sethi M
Hi Terry, On 8/20/20 5:41 PM, Terry Burton wrote: > On Thu, 20 Aug 2020 at 14:54, Mohit Sethi M > wrote: >> It would be a misinterpretation to say that everything from the >> authenticator is an EAP-Request hence EAP-Failure is also a Request. >> It's an EAP packet with a different Code. Thus,

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-20 Thread Terry Burton
On Thu, 20 Aug 2020 at 14:54, Mohit Sethi M wrote: > It would be a misinterpretation to say that everything from the > authenticator is an EAP-Request hence EAP-Failure is also a Request. > It's an EAP packet with a different Code. Thus, it is wrong to say that > text "the authenticator SHOULD

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-20 Thread Mohit Sethi M
Hi Terry, It would be a misinterpretation to say that everything from the authenticator is an EAP-Request hence EAP-Failure is also a Request. It's an EAP packet with a different Code. Thus, it is wrong to say that text "the authenticator SHOULD NOT send another Request" also implies that the

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-20 Thread Terry Burton
On Thu, 20 Aug 2020 at 13:34, Mohit Sethi M wrote: <...snip...> > It's also contrary to... > > Type zero (0) is used to indicate that the sender has > no viable alternatives, and therefore the authenticator SHOULD NOT > send another Request after receiving a Nak Response

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-20 Thread Mohit Sethi M
Hi Terry, On 8/20/20 3:02 PM, Terry Burton wrote: On Thu, 20 Aug 2020 at 10:00, Mohit Sethi M wrote: I surely must be missing something here: Packet 6 is an EAP-Response from the peer. Packet 7 contains another EAP-Response inside a

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-20 Thread Terry Burton
On Thu, 20 Aug 2020 at 10:00, Mohit Sethi M wrote: > I surely must be missing something here: > > Packet 6 is an EAP-Response from the peer. Packet 7 contains another > EAP-Response inside a RADIUS Access-Request? That doesn't make sense. EAP is > lock-step request-response protocol. The

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-20 Thread Mohit Sethi M
Hi Terry, I surely must be missing something here: Packet 6 is an EAP-Response from the peer. Packet 7 contains another EAP-Response inside a RADIUS Access-Request? That doesn't make sense. EAP is lock-step request-response protocol. The conversation you describe is incorrect. My reading of

Re: [Emu] Appropriate AAA/EAP response to a peer's NAK when there are no overlapping methods

2020-08-19 Thread Alan DeKok
On Aug 19, 2020, at 8:39 PM, Terry Burton wrote: > I'm unable to find the authoritative source that state exactly how the > following conversation continues (TL;DR; the peer NAKs the original > method and the AAA doesn't support any of the peer's proposals): > ... > 8. AAA: Now what? Run