Hi, Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC.
In my case (remember the eduroam design thread from a while back), I have several "local" Radius which proxy all request to my central radius, which in turn perform the authn+z for the users, or forward the request to the top level radius if the user do not belong to our organization (eduroam stuff, nothing new so far). So, I would like, in case of Access-Reject of OUR users, logging in OUR schools, to send back a reply-message to the local radius in the outer reply, so the local admin know why its user has been rejected. This would be logged then stripped before the reply reach the NAS. If it's an external user in our network, or one of our users but in an external network, then I won't add the Reply-Message. Would this still be illegal and would I end in jail ? ;) Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html