On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
Just wondered if someone could explain the reason why, on rejection
of EAP authentication, an access challenge request is sent out to the
NAS, and whether it’s something we can control or not?
I assume you're referring to the fact that the inner tunnel reject is
sent as an outer access-challenge?
The packet flow is this:
C: Access-Request EAP / TLS-setup
S: Access-Challenge EAP / TLS-setup
...
C: Access-Request EAP / TLS / inner access-request
S: Access-Challenge EAP / TLS / inner access-reject
C: Access-Request EAP / TLS [ack]
S: Access-Reject EAP / reject
Basically, the protocols send the inner reject as a TLS frame, so that
the client can't be tricked by a fake reject. The client then ACKs it,
and the server then sends the RADIUS-level reject.
So no, you can't turn it off - it's part of the protocol specifications.
Why is this a problem for you?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
