On 8/6/09 13:26, David Mitton wrote:
A couple comments on this thread...
The problem with including Reply message text in EAP is that the Reply
attribute comes in the Accept or Reject message, which will be carrying
the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry
attributes, so a Reply would have to be turned into a Notification
message by a smart AP and sent as an exchange prior to the Success/Fail.
That doesn't look likely.
ProCurve wired switches do this in the earlier software versions < H.10.74.
They actually send the EAP-Notification *after* the EAP-Success or EAP-Failure
which is what breaks WPA-Supplicant.
As far as its state machines are concerned the EAP-Success/EAP-Failure messages signifies the end of authentication... so if it receives an EAP-Notification message *after* the
EAP-Success/EAP-Failure, it sees it as the NAS requesting to restart authentication.
An EAP method can send it's own Notification message including any text
it wants. This will get wrapped in RADIUS with an EAP message attribute
in an Access-Challenge, and go the normal path. The next problem is
getting the supplicant to do anything with it, like show the user.
WPA_Supplicant shows the contents of EAP-Notifications, the Mac OSX supplicant
logs the message to /var/system.log, windows supplicant largely ignores them.
This can be a problem if your supplicant is Windows. The Windows
wireless EAP system silently discards EAP Notification messages on XP.
On Vista, an EAPHost API method can get them if they ask. A RasEap API
method is SOL, because they are discarded and not responded to, breaking
the protocol. (Ask me how I know ;^} ) Look for a forthcoming patch for
Vista.
Arran
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
