=?iso-8859-1?q?Aurelien=20Magniez?= <[EMAIL PROTECTED]> wrote: > Here are detailed explanations describing why I would > like to implement such a mechanism: > > Take the following scenario: ... > An arrow represents an EAP-Message. It contains the > EAP Identifier value. A dash indicates that the > initial EAP-Message has been modified.
How? It can't modify the EAP-Message in the RADIUS packet, as it's protected by the Message-Authenticator attribute. The wireless portion of the EAP session can be modified, but it's hard to do that without being detected by the client. > Moreover, FreeRADIUS doesn't detect that the EAP-PSK > data are corrupted (it's totally normal :-) If the RADIUS packet is modified, FreeRADIUS will detect it. If the EAP message is modified, it won't. That's why EAP-TTLS uses SSL, with server-side certificates. That protects the EAP session. > By the way, do you think it's interesting to implement > such a mechanism? Perhaps the first solution is the > best way.... If the EAP packet was modified, it shouldn't be an EAP failure. The bad packet should just be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html