Re: FW: [Pana] RADIUS Access-Reject and NAP/ISP authz

[Bernard Aboba <aboba@internaut.com>]

>   It's not clear to me.  The text is ambiguous, and I could interpret
> it in many ways, but the examples in 2.3.4 show "client disconnected"
> as a result of RADIUS Access-Reject.

Thanks for the reference.

>    If EAP is negotiated but is not supported by the RADIUS proxy or
>    server, then the server or proxy MUST respond with an Access-Reject.
>    In these cases, the NAS MUST send an LCP-Terminate and disconnect the
>    user.

Well, I guess they really do mean "disconnect" in the case of PPP.

>   While I'm not familiar with the details of 802.11i, I'm not sure
> what it means to be in an "authenticated" state after the session was
> rejected.  Maybe this is just a terminology difference between 802.11i
> and RADIUS.

It's an artifact of the 802.11 state machine, which in 802.11-2003
includes a link layer "authentication" frame that is not used by 802.1X
(or at least 802.1X operates after "open" authentication).  The bottom
line is that the STA is still Associated after failing 802.1X
authentication and can attempt 802.1X authentication again.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>