Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579:
Alan DeKok <aland@deployingradius.com> Thu, 31 March 2022 22:53 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC7A3A1F7D; Thu, 31 Mar 2022 15:53:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXwdvYY4Hdof; Thu, 31 Mar 2022 15:53:01 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 535BC3A0F00; Thu, 31 Mar 2022 15:52:40 -0700 (PDT)
Received: from smtpclient.apple (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 92A53690; Thu, 31 Mar 2022 22:52:37 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOW+2dudRkygc8PPobWgUNZd7n5v6YsJGVJjRZDoM_pwvnxFOg@mail.gmail.com>
Date: Thu, 31 Mar 2022 18:52:35 -0400
Cc: "Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org>, radext@ietf.org, EMU WG <emu@ietf.org>, emu-ads@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <35F3907F-9EDD-45D7-B2CB-101FD02FE642@deployingradius.com>
References: <fbc6e33a-fa6a-ba2c-0840-700116a6a182@rfc-editor.org> <CAOW+2dvuh2r-qbKM0h-qohTOpCiUy_U58vi22nNiXJs4cOjUBA@mail.gmail.com> <7FEC9E12-846B-4218-8F29-F6839243B8C2@deployingradius.com> <CAOW+2dudRkygc8PPobWgUNZd7n5v6YsJGVJjRZDoM_pwvnxFOg@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/QZMLYUUmo4BH9gYeeCY-uxfRnzU>
Subject: Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579:
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 22:53:05 -0000
On Mar 31, 2022, at 4:40 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote: > > Alan suggested: > " EAP-Start is indicated by sending an EAP-Message attribute with a > length of 3. The single byte of data SHOULD be set to zero on > transmission and MUST be ignored on receipt. RADIUS clients MUST NOT > send EAP-Message attributes of length 2, as attributes with no value > are not permitted in RADIUS. However, for historical reasons and for > compatibility with existing practice, RADIUS servers MUST accept EAP-Messages > of length 2, and treat them as EAP-Start. > > Just checking the source I have locally, the server accepts zero-length EAP-Message (or any other text/string attribute, for that matter). So that's fine." > > [BA] This suggested errata text looks good. Thanks. > [BA] This text is better. The implicit assumption here is that the NAS is sending an EAP-Request with a locally implemented EAP type, without talking to the RADIUS server. Of course, the same thing could happen if the RADIUS server uses an inappropriate default type. So perhaps this might work: > > " Where the initial EAP-Request sent by the NAS is for an > authentication Type (4 or greater), the peer MAY respond with a Nak > indicating that it would prefer another authentication method. In this > case, the NAS should send an Access-Request encapsulating the > received EAP-Response/Nak. This allows a peer to suggest another > EAP method where the NAS is configured to send a default EAP > type (such as MD5-Challenge) which may not be appropriate." That looks good to me, thanks. Alan DeKok.
- Re: [radext] EAP Erratum 6154 on RFC 3579: Bernard Aboba
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Bernard Aboba
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Independent Submissions Editor (Eliot Lear)
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Independent Submissions Editor (Eliot Lear)
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Bernard Aboba
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Independent Submissions Editor (Eliot Lear)
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Eliot Lear
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Alan DeKok
- Re: [radext] [Emu] EAP Erratum 6154 on RFC 3579: Oleg Pekar