[strongSwan] EAP TTLS MSCHAPv2 authentication error : expected AVP_EAP_MESSAGE but received 462
Tobias Brunner
tobias at strongswan.org
Tue Apr 19 15:33:45 CEST 2016
Hi Marwane,
> Does it mean that strongswan's EAP TTLS plugin is only compatible with
> radius attributes ?
RFC 5281 (EAP-TTLSv0 [1]) only describes the encapsulation of EAP
messages in 'EAP-Message' RADIUS AVPs. Actually, the list of allowed
AVPs is very specific (see section 13). The 'EAP-Payload' Diameter AVP
defined in RFC 4072 (released three years earlier [2]) is not mentioned
at all. And the registry for allowed AVPs was never extended later
either [3]. So it seems what the Cisco ePDG is doing is not RFC compliant.
Regards,
Tobias
[1] https://tools.ietf.org/html/rfc5281
[2] https://tools.ietf.org/html/rfc4072
[3]
http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-10
More information about the Users
mailing list