eap-24----Page:4
1 2 3 4
|
RFC 2869bis Issue 83 EAP authenticators (e.g. NAS) can only be assumed to check validity of EAP header Code, Identifier, Length checks required in RFC 2284 Type field typically not checked in pass-through authenticators (not required in RFC 2284) Method-specific MICs not checked in pass-through authenticators Result: AAA server can receive invalid EAP packets Response to invalid EAP packets is method-specific Example: In TLS, a MIC validation failure is a fatal error How does a AAA server silently discard invalid EAP packets? Without some kind of notification, the NAS will retransmit Backward compatibility requirement Want a message that is interpreted by existing implementations as an Access-Reject and by new implementations as a “packet reject” request Current recommendation: Service-Type=Packet-Reject within an Access-Challenge RFC2865: A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access-Reject had been received instead. |