Today, most cases where the RADIUS server returns an access reject
return GSSEAP_RADIUS_AUTH_FAILURE and nothing more specific.
we don't know if we failed to reach the IDP realm, if there was some
sort of trust router issue, or if EAP authentication succeded but there
was some policy problem.
We won't be able to distinguish incorrect username from incorrect
password.
Which errors are most important to distinguish in these categories?
Which failures would we like the RADIUS server to signal to us in a
manner that we can understand?
--Sam
|