EAP Authentication negotiation
1 posts by 1 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: July 17, 2007:
Last Post: July 17, 2007:
-
From RFC3579:
Where the initial EAP-Request sent by the NAS is for an authentication Type (4 or greater), the peer MAY respond with a Nak indicating that it would prefer another authentication method that is
not implemented locally. In this case, the NAS SHOULD send Access-Request encapsulating the received EAP-Response/Nak. This provides the RADIUS server with a hint about the authentication method(s) preferred by the peer, although it does not provide
information on the Type of the original Request. It also provides the server with the Identifier used in the initial EAP-Request, so that Identifier conflicts can be avoided.
I tried this in the lab last week, and with PeriodikLabs Elektron as the RADIUS and using Microsoft's WZC as the supplicant, the supplicant never responded with a hint about the type of EAP it wanted to use. The RADIUS kept trying over and over to get the station to accept LEAP (since it was the only EAP type I had configured on the RADIUS server), but the station kept just saying NAK (because it was only configured for PEAP).
It's very possible that in some supplicants, that some hint might be given to the authentication server (AS), but I haven't personally seen it - not having configured this scenario with every supplicant and AS on the market.
Devinator
Page 1 of 1
- 1