Search RFCs

RFC Editor

Found 2 records.

Status:Reported (2)

RFC 3579, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", September 2003

Note: This RFC has been updated byRFC 5080

Errata ID:6154
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Alan DeKok
Date Reported: 2020-05-01
Edited by: Eliot Lear
Date Edited: 2022-04-01

Section 2.1 says:

   EAP-Start is indicated by sending an EAP-Message attribute with a   length of 2 (no data).

It should say:

   EAP-Start is indicated by sending an EAP-Message attribute with a   length of 3.  The single byte of data SHOULD be set to zero on   transmission and MUST be ignored on receipt.  RADIUS clients MUST   NOT send EAP-Message attributes of length 2, as attributes with no   value are not permitted in RADIUS.  However, for historical reasons   and for compatibility with existing practice, RADIUS servers MUST   accept EAP-Messages of length 2, and treat them as EAP-Start.

Notes:

RFC 2865 Section 5 says that empty attributes must be omitted:

text 1-253 octets containing UTF-8 encoded 10646 [7]
characters. Text of length zero (0) MUST NOT be sent;
omit the entire attribute instead.

Section 3.1 of RFC 3579 also says that the EAP-Message attribute cannot be sent with length 2:

...
Type

79 for EAP-Message

Length

>= 3
...

In practice, few devices seem to send EAP-Message with Length 2.

Errata ID:6259
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Alan DeKok
Date Reported: 2020-08-20
Edited by: Eliot Lear
Date Edited: 2022-04-01

Section 2.1 says:

  Where the initial EAP-Request sent by the NAS is for an  authentication Type (4 or greater), the peer MAY respond with a Nak  indicating that it would prefer another authentication method that is  not implemented locally.

It should say:

  Where the initial EAP-Request sent by the NAS is for an  authentication Type (4 or greater), the peer MAY respond with a Nak  indicating that it would prefer another authentication method. In this  case, the NAS should send an Access-Request encapsulating the  received EAP-Response/Nak.  This allows a peer to suggest another  EAP method where the NAS is configured to send a default EAP  type (such as MD5-Challenge) which may not be appropriate.

Notes:

Clarify what happens when a NAK is received and correct the "not" in the original text.

Report New Errata