Glen Zorn said:
"Yes, it is, but it doesn't have to be. In IEEE 802.1X-2004, for example, the transition from the "Authenticating" state to the "Authenticated" state in the PAE machine is triggered by the reception of an Accept message from the Back-end authentication server, not by EAP-Success. In fact, great pains are taken to ensure that the "correct" EAP message (Success or Failure) is sent to the supplicant, the correctness being based not on the actual result of the EAP authentication but on the decision of the AAA server. " RFC 3579 makes it clear that the Accept/Reject sent by the AAA server controls the behavior of the AAA client, not the encapsulated EAP packet. This clarification was made in response to interoperability issues that arose in situations where Access-Reject/EAP-Success or Access-Accept/EAP-Failure packets were sent. While RFC 3579 does not forbid these packets, it does recommend against their use, since they can result in inconsistent interpretations of the authentication exchange between the EAP peer and authenticator.
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
