Re: Issue: Treatment of null Identity Response

[Jari Arkko <jari.arkko@piuha.net>]

Interesting question. One possible answer is that the
NAS should fail the login attempt. This seems reasonable,
because without a NAI it will be hard to route the authentication
request anyway. But is there use of EAP where the user
identity is not known but some other identity (e.g. calling
line identification) is used on the NAS side to decide which
customer this is?

--Jari

Bernard Aboba wrote:

> RFC 3748 and RFC 2865 appear to disagree on the subject of whether a 
> response to an EAP-Request/Identity can be an EAP-Response/Identity 
> packet with no data.
>
> RFC 3748 Section 5.1 says:
>
>   Type
>
>      1
>
>   Type-Data
>
>      This field MAY contain a displayable message in the Request,
>      containing UTF-8 encoded ISO 10646 characters [RFC2279].  Where
>      the Request contains a null, only the portion of the field prior
>      to the null is displayed.  If the Identity is unknown, the
>      Identity Response field should be zero bytes in length.  The
>      Identity Response field MUST NOT be null terminated.  In all
>      cases, the length of the Type-Data field is derived from the
>      Length field of the Request/Response packet.
>
> So according to RFC 3748, it is possible to have an Identity Response 
> field that is zero bytes in length, if the identity is not known.
>
> However, RFC 2865 Section 5.1 says:
>
> 5.1.  User-Name
>
>   Description
>
>      This Attribute indicates the name of the user to be authenticated.
>      It MUST be sent in Access-Request packets if available.
>
>      It MAY be sent in an Access-Accept packet, in which case the
>      client SHOULD use the name returned in the Access-Accept packet in
>      all Accounting-Request packets for this session.  If the Access-
>      Accept includes Service-Type = Rlogin and the User-Name attribute,
>      a NAS MAY use the returned User-Name when performing the Rlogin
>      function.
>
>   A summary of the User-Name Attribute format is shown below.  The
>   fields are transmitted from left to right.
>
>    0                   1                   2
>    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
>   |     Type      |    Length     |  String ...
>   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
>
>   Type
>
>      1 for User-Name.
>
>   Length
>
>      >= 3
>
>   String
>
>      The String field is one or more octets.  The NAS may limit the
>      maximum length of the User-Name but the ability to handle at least
>      63 octets is recommended.
>
>      The format of the username MAY be one of several forms:
>      text      Consisting only of UTF-8 encoded 10646 [7] characters.
>      network access identifier
>
> Since the User-Name must be at least 3 bytes in length, a zero-length 
> String field is not acceptable.
>
> Question:  What does a RADIUS client do if it receives an 
> EAP-Identity/Response with no data?
>
>
>
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>