RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation

Alan DeKok aland at deployingradius.com
Fri Nov 9 19:02:56 CET 2018

On Nov 7, 2018, at 7:32 AM, Joe Garcia <joe27256 at gmail.com> wrote:
> In that case are we being asked to do something that's not possible,
> i.e. having the client/supplicant talk directly to the RADIUS server
> without a NAS involved?  That would also explain why we're having
> problems with it.

  Yes.  A RADIUS server accepts RADIUS packets from a RADIUS client.  You can't send raw EAP to a RADIUS server and expect it to work.

>> Send an EAP-Message containing an EAP-Identity.  That starts EAP.  The
>> server SHOULD respond with an Access-Challenge containing an EAP-Message.
>> That EAP-Message essentially says "Hi!  Let's do TTLS!"
> I've tried that, and got no resonse from the server...

  Then either you didn't send the right thing, or their RADIUS server is configured to discard all messages containing EAP, or their RADIUS server isn't configured to accept RADIUS packets from your IP address.

  You *can* run eapol_test yourself, as I suggested in my previous reply.  That will tell you if the RADIUS server works at all.

> This sorta reinforces my suspicion (see above) that we're being asked
> to implement something that may not be possible?


  Alan DeKok.

More information about the Freeradius-Users mailing list