EAP TLS: how the radius server track clients

Alan DeKok aland at deployingradius.com
Sun May 3 22:33:38 CEST 2020

On May 3, 2020, at 3:36 PM, Jim Shi via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Hi, I have a question about how the radius server keep track of clients in EAP TLS.
> My understanding is that EAP TLS involves a series of  requests/responses. 
> Hence the radius server needs to keep track of status for each client during the handshake.
> How does the radius server keep track of clients? Based on 'User-Name' in the radius packet request?

  The short answer is "Does it matter?"

  i.e. are you writing a RADIUS server which does EAP-TLS?  If not, it doesn't really matter.  It works, and that's good enough.

  The longer answer is that this is defined in RFC 3579 (EAP over RADIUS), and RFC 2865 (how Access-Challenge works).  This uses the State attribute.

  If you read the debug output of the server, you'll also see that it looks up EAP sessions by State.

  Alan DeKok.

More information about the Freeradius-Users mailing list