Re: RFC 3579 and Access-Accepts
Stefan, the message included seems to me an EAP Success message (Code 0x03) and in no way an EAP Message/EAP Request/Notification (would be 0x01yy02). I do not see the problem at a first glance - am I mistaken? Artur On 19 Sep 2007, at 13:11, Stefan Winter wrote: Hello, it seems that FreeRADIUS is sending an EAP-Message fragment along with its Access-Accepts, as in: Packet-Type = Access-Accept Wed Sep 19 11:59:25 2007 MS-MPPE-Recv-Key = stuff MS-MPPE-Send-Key = morestuff EAP-Message = 0x03070004 Message-Authenticator = 0x593773a711f50bd8b4ce98434a7e1590 User-Name = "[EMAIL PROTECTED]" Proxy-State = 0x323039 Whereas RFC 3579 , chapter 2.6.5 says: "An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet." This is now the second RADIUS implementation I see that behaves like that - is there a reason for the EAP-Message and something wrong with 3579, or is that SHOULD NOT just ignored by most? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.luFax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3579 and Access-Accepts
> I'm curious as to which implementations *don't* send EAP-Success in > Access-Accept. If they don't do that, then what the heck is in the > Access-Accept? Ah, never mind. This was just a mis-reading on my side then. Sorry for the noise. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3579 and Access-Accepts
Stefan Winter wrote: > it seems that FreeRADIUS is sending an EAP-Message fragment along with its > Access-Accepts, as in: ... > Whereas RFC 3579 , chapter 2.6.5 says: > "An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an > Access-Accept or Access-Reject packet." See Appendix A. They clearly show EAP-Success in an Access-Accept. See also Section 2.6.3: Access-Accept packets SHOULD have only one EAP-Message attribute in them, containing EAP Success; similarly, Access-Reject packets SHOULD have only one EAP-Message attribute in them, containing EAP Failure. > This is now the second RADIUS implementation I see that behaves like that - > is > there a reason for the EAP-Message and something wrong with 3579, or is that > SHOULD NOT just ignored by most? I'm curious as to which implementations *don't* send EAP-Success in Access-Accept. If they don't do that, then what the heck is in the Access-Accept? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RFC 3579 and Access-Accepts
Hi Stefan, > Whereas RFC 3579 , chapter 2.6.5 says: > "An EAP-Message/EAP-Request/Notification SHOULD NOT be > included within an Access-Accept or Access-Reject packet." I think this is a case of mis-reading the (confusing?) notation used by the RFC. What the RFC is saying is that you are not permitted to include a Notification within an EAP-Request within an EAP-Message within an Access-Accept. It's not saying you're not allowed to include an EAP-Message attribute _per se_. FWIW, I don't think it would be possible to implement a compliant EAP method without including an EAP-Message in the Access-Acccept; you need to return an EAP-Success or EAP-Failure, and IIRC you can't do that in an Access-Challenge. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html