How to Initiate EAP-Request Identity

JAVIER SANDOVAL javier_sandoval_ldc at
Tue May 5 18:08:55 CEST 2020

Hi experts,
this question is a bit related with one i did last week about EAP-start support.
Now is a slightly different use case:
I have no expertise with freeradius and do not know how flexible Freeradius 3 may be to customize an authentication policy flow.
The use case i am interested in is:
Freeradius initiates a EAP Identity Request procedure when it receives and EAP-response message containing just only an EAP Identity AVP. (or if a bit more specific approach might be possible, just only when the provided EAP-identity is not known)

The rational behind: 

Some VPN server(s) do not initiates EAP-Identity Request by itself. That may happen as it is not mandatory at RFC 5106 section 3 (EAP-Ikev2). However, the server sends to Radius server an EAP-response type Identity AVP, which is filled with the IKE-ID conveyed by the end customer. Some VPN clients include the EAP user as IKE-ID and all works normally, but some others not, and typically include as IKE-ID the IP address of the supplicant (i.e. windows 10, MAC OS native vpn clients), which is unknown for the radius/db server.
I would appreciate your feedback, and, if feasible, some guiding or hints about how to get that policy implemented.
Kind regards,

More information about the Freeradius-Users mailing list