[RADIATOR] (P)EAP flow

Heikki Vatiainen hvn at open.com.au
Mon Feb 17 08:22:10 CST 2014


On 02/14/2014 07:17 PM, Garry Shtern wrote:
> I have noticed that if Radiator receives a midstream EAP exchange
> message, it responds back with a CHALLENGE.

I would expect something like this with PEAP.

ERR: EAP TLS error: -1, 1, 8465,  13062: 1 - error:140940F5:SSL
routines:SSL3_READ_BYTES:unexpected record

Then an Access-Reject is sent back to the client.

> I am trying to understand
> what exactly happens at this point.  Does the Supplicant respond to the
> challenge with a brand new exchange or just retransmits whatever packet
> it sent before?  If it’s the latter, is there any way to force a
> supplicant to re-start the negotiation, perhaps with a crafted CHALLENGE?

The supplicant probably restarts, but that's only because it got an
unexpected response. I most cases I would expect that a midstream EAP
message results as a some sort of error on Radiator side.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list