How to force EAP-Identity Request sending after EAP START

Alan DeKok aland at
Fri May 1 19:00:22 CEST 2020

On May 1, 2020, at 12:37 PM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at> wrote:
> Thanks Alan,
> I know the RFC, for start there is an exception the RFC states in 2.1EAP-Start is indicated by sending an EAP-Message attribute with a
>   length of 2 (no data). 

  Except that the later definition of EAP-Message indicates that's wrong.  And RFC 2865 says that RADIUS attributes should never be sent with zero data.

> the server seems to recognize it as EAP-start according to the log

  Yes.  Because there are many broken clients.

> This use case just is required to interoperate with a VPN server that do not initiates EAP-Identity Request by itself. That may happen as it is not mandatory at RFC 5106 section 3 (EAP-Ikev2). 


> In that case, the VPN server needs to tell someway to the Radius to initiate an EAP dialogue with the end customer. Using stat message is suggested also in RFC 3579  section 2.1 
>   Rather than sending an initial EAP-Request packet to the
>   authenticating peer, on detecting the presence of the peer, the NAS
>   MAY send an Access-Request packet to the RADIUS server containing an
>   EAP-Message attribute signifying EAP-Start....

  Sure.  See the patch for a full fix.

  Alan DeKok.

More information about the Freeradius-Users mailing list