Hi, >> >> The main limitation on bulk data transfer is that most EAP to >> >> RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50 >> >> packets. >> > >> > This kind of thing drives me crazy. Why are their such policies? >> >> To prevent bulk transfer of data over EAP, among others. > > This would seem like a highly unlikely scenario, as in most system, > someone privileged would have > to install this rogue EAP module in the AAA system.
Which might make sense in a roaming system if you want your users to get around being billed. Provider A and B operate WLAN hotspots, say with realm-based routing. A wants all his users to get access to B's hotspots, but without being billed for it :-) A sets up an EAP server with "EAP-Fraud" method which merely tunnels IP in EAP, installs supplicant with EAP-Fraud support on his clients. A's clients travel to a B-hotspot, and start a LONG authentication session to their A realm which is in fact normal IP communication via an IP proxy on their home EAP server. After an hour or so of merrily speaking IP, client indicates a wish to disconnect to home and the EAP server sends an Access-Reject. No bill, since "the authentication failed". Just took a while. Greetings, Stefan Winter >> > Please do not build EAP session breaking assumptions into AAA >> implementations. >> >> It would be useful to codify these experiences into an EAP "best >> practices" document. > > I've done it before... (I'll find the proceedings reference) > An update is coming.... > > Dave. > > >> Alan DeKok. > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
