On Aug 14, 2009, Alan DeKok <al...@deployingradius.com> wrote: ... > I can propose EAP-IP: carrying IP packets in EAP. It's crazy, but > possible.
In many ways that's what PANA is about, but that's not what spurred me to respond..... > The main limitation on bulk data transfer is that most EAP to > RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50 > packets. This kind of thing drives me crazy. Why are their such policies? I develop/maintain a user interactive time-based EAP authentication that, unfortunately, has to jump through all sorts of real-time hoops for Access Points and 802.1x clients that have these ad-hoc rules about what constitutes a "valid" EAP session time and packet wise. It's one thing when many EAP methods deal with cached non-interactive credentials. They can wham, bam, thank you ma'am in less than 10 seconds. It's another when a user and an authentication device is in the loop. My user may wait for a new OTP value to come around, fumble finger it in, and possibly have to do it twice if he got it wrong or is out of the sync window. It can take several minutes. Please do not build EAP session breaking assumptions into AAA implementations. Sorry for the rant, but I still need to write up my EAP implementation experiences from doing my SecurID Vista client. The pain still hasn't completely subsided completely yet. Dave. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
