On Fri, 4 Oct 2024 at 20:30, Alan DeKok <al...@deployingradius.com> wrote:
> On Oct 4, 2024, at 12:46 PM, Heikki Vatiainen <h...@radiatorsoftware.com> > wrote: > > > That is, switching to a non-provisioning fully credentialed > authentication with a NAK shouldn't be done when the initial > EAP-Response/Identity contains an eap.arpa domain. Also, when provisioning > is done, the EAP method must match the eap.arpa domain. > > > > My main concern is that the EAP identity could easily end up in logs > with eap.arpa domain while the EAP authentication and network access was > granted after a non-provisioned authentication. > > I'm not sure how that would work. The eap.arpa domain should result in > limited network access. Any credentials with get provisioned are just > normal credentials, and will get whatever network access is appropriate. > > How is " network access was granted after a non-provisioned > authentication" ? I was thinking something like this: - EAP client has credentials for EAP methodX that are about expire; provisioning is required - The client attempts provisioning with EAP identity ending with methodX.eap.arpa - The server for some reason responds with an EAP methodY, that is, not methodX - The client proceeds with the methodY or NAKs and asks for methodX - The server does normal authentication with methodY or methodX - The logs show that provisioning realm used while the authentication was non-provision and full authentication The client might try to be helpful by attempting to authenticate even if the provisioning didn't work. Instead of continuing directly, it should have just reset the link and try full authentication (no provision). The server might have been helpful because it had lost connection to the provisioning DB or otherwise had determined that it couldn't start provisioning at this time. Instead of being helpful, the server should be clear that this authentication can not continue and must fail. -- Heikki Vatiainen h...@radiatorsoftware.com
_______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
