RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation

Joe Garcia joe27256 at gmail.com
Wed Nov 7 13:32:52 CET 2018

Alan DeKok <aland at deployingradius.com> wrote:

> > All the example message flows I can
> > find, e.g. in RFC 3579, have three parties involved, the client, a
> > NAS, and the RADIUS server, so the client ends up sending an
> > EAP-Response to the NAS rather than anything to the RADIUS server.
> That's how EAP works, yes.

In that case are we being asked to do something that's not possible,
i.e. having the client/supplicant talk directly to the RADIUS server
without a NAS involved?  That would also explain why we're having
problems with it.

> Send an EAP-Message containing an EAP-Identity.  That starts EAP.  The
> server SHOULD respond with an Access-Challenge containing an EAP-Message.
> That EAP-Message essentially says "Hi!  Let's do TTLS!"

I've tried that, and got no resonse from the server... checking RFC
3748, the EAP-Identity is sent by the authenticator, not the

      The Identity Type is used to query the identity of the peer.
      Generally, the authenticator will issue this as the initial

Then RFC 5281 says:

   However, prior to beginning the EAP-
   TTLS authentication, the client will typically issue an EAP-
   Response/Identity packet as part of the EAP protocol

but that's the three-party version again since the client can't begin
its communication with a Response.

This sorta reinforces my suspicion (see above) that we're being asked
to implement something that may not be possible?


More information about the Freeradius-Users mailing list