0

So I've been looking at adding support for Diameter EAP in my server. After reading up on rfc4072 and rfc3748 I was fooled to have a general idea.

My expectation was that the client would pass a so called EAP-Start message (an empty EAP-Payload AVP) to my server. I would respond with an proper EAP request for identity (type 1) and diameter client would deliver the response to that in the new EAP-Payload and then the cycle would continue.

However, when I was looking at actual pcap traces from freeDiameter (ex this pcap) I noticed that the 1st EAP diameter request (No.6) contained an EAP Identity response (!!) already. Kind of by-passing the initial round-trip.

While I don't have a huge a problem with implementing this I would really like to know if this is by (EAP-)spec? Can you start an EAP transaction with a response with?

John Fear
  • 1,265
  • 2
  • 8
  • 10
  • From `rfc3748`: "An authenticator receiving a´Response whose Identifier value does not match that of the currently outstanding Request MUST silently discard the Response.". This makes me think that this pcap is violating the spec. – John Fear Aug 29 '14 at 20:49
  • rfc4072 (EAP over Diameter) mentions this behaviour in chapter 2.2 (Protocol Overview): "A preferred approach is for the access device to issue the EAP-Request/Identity message to the EAP client, and forward the EAP-Response/Identity packet, encapsulated within the EAP-Payload AVP, as a Diameter-EAP-Request to the Diameter server". – John Fear Oct 14 '14 at 14:17
  • You got it right: ONLY server shluld send EAP-start, so client MUST start with EAP-response. Server should ignore non-existing EAP connections and respond with EAP-Start for ANY_ID_REQ or similar, so client can response again with EAP-response (basically sending the same EAP message twice) – Sergej Srepfler Jul 05 '15 at 04:19

1 Answers1

0

Yes - actually, that IS in the spec.

   EAP authentication is initiated by the server (authenticator),
   whereas many authentication protocols are initiated by the client
   (peer).  As a result, it may be necessary for an authentication
   algorithm to add one or two additional messages (at most one
   roundtrip) in order to run over EAP.

So you need ANY message to trigger the server to start EAP sequence. That is why usually you see the same message twice.

Sergej Srepfler
  • 184
  • 1
  • 11