How to force EAP-Identity Request sending after EAP START

Alan DeKok aland at
Fri May 1 18:02:12 CEST 2020

On May 1, 2020, at 11:48 AM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at> wrote:
> Thanks a lot Alan,
> sometime ago I commented some options in eap.conf to leave just eap-mschapv2, and also applied filter to remove some attributes in access-challenge. Also think I enabled eap in authorize/auth  (i think under /etc/raddb/sites-enabled/inner-tunnel). I do not think I did more. EAP was working, EAP-start is a new use case I need to support.


> I have removed the access-challenge filter to check but have the same result.
> The full debug of the access-attmpt
> (0) Received Access-Request Id 5 from to length 152
> (0)   User-Name = "swan"
> (0)   Acct-Session-Id = ""
> (0)   Calling-Station-Id = ""
> (0)   Called-Station-Id = ""
> (0)   NAS-Port-Id = "tunnel-1.public:40"
> (0)   NAS-Identifier = "vBNG"
> (0)   EAP-Message = 0x

  Yeah, that's a problem.  The EAP peer MUST NOT send an empty EAP-Message attribute.  See RFC 3579 Section 3.1.  It should instead send 2 byte EAP start message.

  Or, more commonly, an EAP Identity.  Which is what 99.999% of EAP peers do.

  It's not clear why you need to support EAP-Start.  Perhaps explaining that may help.

> Not sure if you refer to this debug.


  I've pushed a fix, which will be in the next release.

  Alan DeKok.

More information about the Freeradius-Users mailing list