On Oct 4, 2024, at 3:18 PM, Heikki Vatiainen <h...@radiatorsoftware.com> wrote: > I was thinking something like this: > - EAP client has credentials for EAP methodX that are about expire; > provisioning is required > - The client attempts provisioning with EAP identity ending with > methodX.eap.arpa > - The server for some reason responds with an EAP methodY, that is, not > methodX > - The client proceeds with the methodY or NAKs and asks for methodX > - The server does normal authentication with methodY or methodX
How does the client do normal authentication when the EAP Identity is "provision...@teap.eap.arpa" ? > - The logs show that provisioning realm used while the authentication was > non-provision and full authentication > > The client might try to be helpful by attempting to authenticate even if the > provisioning didn't work. Instead of continuing directly, it should have just > reset the link and try full authentication (no provision). The only way to do full authentication is with a non-provisioning identity. > The server might have been helpful because it had lost connection to the > provisioning DB or otherwise had determined that it couldn't start > provisioning at this time. Instead of being helpful, the server should be > clear that this authentication can not continue and must fail. If the server can't authenticate, it just sends EAP Failure. Alan DeKok. _______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
