RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Reported (2)

RFC 3579, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", September 2003

Note: This RFC has been updated by RFC 5080

Source of RFC: IETF - NON WORKING GROUP

Errata ID: 6154
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Alan DeKok
Date Reported: 2020-05-01
Edited by: Eliot Lear
Date Edited: 2022-04-01

Section 2.1 says:

   EAP-Start is indicated by sending an EAP-Message attribute with a
   length of 2 (no data).


It should say:

   EAP-Start is indicated by sending an EAP-Message attribute with a
   length of 3.  The single byte of data SHOULD be set to zero on
   transmission and MUST be ignored on receipt.  RADIUS clients MUST
   NOT send EAP-Message attributes of length 2, as attributes with no
   value are not permitted in RADIUS.  However, for historical reasons
   and for compatibility with existing practice, RADIUS servers MUST
   accept EAP-Messages of length 2, and treat them as EAP-Start.

Notes:

RFC 2865 Section 5 says that empty attributes must be omitted:

text 1-253 octets containing UTF-8 encoded 10646 [7]
characters. Text of length zero (0) MUST NOT be sent;
omit the entire attribute instead.

Section 3.1 of RFC 3579 also says that the EAP-Message attribute cannot be sent with length 2:

...
Type

79 for EAP-Message

Length

>= 3
...

In practice, few devices seem to send EAP-Message with Length 2.

Errata ID: 6259
Status: Reported
Type: Technical
Publication Format(s) : TEXT

Reported By: Alan DeKok
Date Reported: 2020-08-20
Edited by: Eliot Lear
Date Edited: 2022-04-01

Section 2.1 says:

  Where the initial EAP-Request sent by the NAS is for an
  authentication Type (4 or greater), the peer MAY respond with a Nak
  indicating that it would prefer another authentication method that is
  not implemented locally.  

It should say:

  Where the initial EAP-Request sent by the NAS is for an
  authentication Type (4 or greater), the peer MAY respond with a Nak
  indicating that it would prefer another authentication method. In this
  case, the NAS should send an Access-Request encapsulating the
  received EAP-Response/Nak.  This allows a peer to suggest another
  EAP method where the NAS is configured to send a default EAP
  type (such as MD5-Challenge) which may not be appropriate.

Notes:

Clarify what happens when a NAK is received and correct the "not" in the original text.

Report New Errata



Advanced Search