Add the Service-Type AVP to properly distinguish between 802.1X, MAC address and admin authentication.

  • 2
  • Idea
  • Updated 5 years ago
To distinguish properly between the type of authentication that is occurring, HiveOS should include the Service-Type RADIUS AVP in its Access-Requests. Presently, it does not do so.

The service type should be set to Framed for 802.1X, Call-Check for MAC address authentication and Login for device administrative login via RADIUS.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes

Posted 5 years ago

  • 2
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
With regards to Call Check Service-Type for MAC address authentication, the RFCs say:

RFC 2865

"Call Check

Used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call, or an Access-Reject to not accept the call, typically based on the Called-Station-Id or Calling-Station-Id attributes. It is recommended that such Access-Requests use the value of Calling-Station-Id as the value of the User-Name."

RFC 3580

"Service-Type of Call Check is included in an Access-Request packet to request that the RADIUS server accept or reject the connection attempt, typically based on the Called-Station-ID (set to the bridge or Access Point MAC address) or Calling-Station-ID attributes (set to the Supplicant MAC address). As noted in [RFC2865], it is recommended that in this case, the User-Name attribute be given the value of Calling-Station-Id."
Photo of Sarah Banks

Sarah Banks

  • 75 Posts
  • 4 Reply Likes
Hi Nick, thanks for your feedback. We'll take it under consideration. :)