RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation

Joe Garcia joe27256 at gmail.com
Tue Nov 6 10:24:58 CET 2018

I'm working with an embedded device that needs to authenticate to a
FreeRADIUS server using EAP-TLS or EAP-TTLS.  I don't control the
FreeRADIUS server (this means I can't provide debug output, sorry), I
just need to authenticate to it from the device, with the server
configured to talk EAP-TLS/EAP-TTLS.  The device runs custom software
that talks RADIUS, EAP, and TLS, but no matter what I try, I can't
find the right combination of messages to get the server to negotiate
one of the two TLS protocols.

I've tried the obvious option of sending a RADIUS Access-Request
containing an EAP-Message TLV with code EAP-Request, type EAP-TLS or
EAP-TTLS, but get no response from the server.  It replies to other
random requests with the expected Access-Reject, so it's responding to
requests, just not the TLS ones.  All the example message flows I can
find, e.g. in RFC 3579, have three parties involved, the client, a
NAS, and the RADIUS server, so the client ends up sending an
EAP-Response to the NAS rather than anything to the RADIUS server.

Does anyone know what I need to send from the client directly to the
FreeRADIUS server to trigger the EAP-TLS/TTLS process?  I'm looking
for something like RADIUS code, EAP code, and EAP type, along with any
other RADIUS and EAP TLVs that may be required.

More information about the Freeradius-Users mailing list