On 21 Mar 2013, at 13:26, Jouni Malinen <jkmali...@gmail.com> wrote:
> On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell > <a.cudba...@freeradius.org> wrote: >> The old HP switches used to convert the Reply-Message into an >> EAP-Notification and send it after the EAP-Success or EAP-Failure. > > This is not compliant with the EAP specification (EAP-Notification > needs to be sent prior to completion of an EAP authentication method). > Sending it after EAP-Success or EAP-Failure would look like an attempt > to initiate another authentication exchange. Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed. >> It may be possible to send it before the EAP-Success/EAP-Failure message for >> some EAP methods, but chances are not all supplicants will like it, and most >> probably won't display anything. > > EAP-Notification is not really supported in general and even the > specification does not really require displaying anything from this > message to the user.. There is also no way of authenticating this > information, so this would not be ideal for authorization failures. Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
