How to Initiate EAP-Request Identity

Alan DeKok aland at deployingradius.com
Tue May 5 18:33:59 CEST 2020


On May 5, 2020, at 12:08 PM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hi experts,
> this question is a bit related with one i did last week about EAP-start support.
> Now is a slightly different use case:
> I have no expertise with freeradius and do not know how flexible Freeradius 3 may be to customize an authentication policy flow.
> The use case i am interested in is:
> Freeradius initiates a EAP Identity Request procedure when it receives and EAP-response message containing just only an EAP Identity AVP. (or if a bit more specific approach might be possible, just only when the provided EAP-identity is not known)

  What is an "unknown" EAP-Identity?

  In general, it's impossible to play games with packet state machines.  The devices implement particular state machines.  If you try to do something special / different, it generally won't work.

> The rational behind: 
> 
> Some VPN server(s) do not initiates EAP-Identity Request by itself. That may happen as it is not mandatory at RFC 5106 section 3 (EAP-Ikev2). However, the server sends to Radius server an EAP-response type Identity AVP, which is filled with the IKE-ID conveyed by the end customer. Some VPN clients include the EAP user as IKE-ID and all works normally, but some others not, and typically include as IKE-ID the IP address of the supplicant (i.e. windows 10, MAC OS native vpn clients), which is unknown for the radius/db server.

  You can't ask *again* for a different Identity.  Even if you sent an EAP Identity request back, the devices would likely (a) fail EAP entirely, or (b) ignore it, or (c) send back the same identity.

> I would appreciate your feedback, and, if feasible, some guiding or hints about how to get that policy implemented.

  Ask the vendors to fix their implementations.  :(

  Or, update the FreeRADIUS configuration to do identity checks based on some *other* field.  Look in the debug logs to see what's available.

  Alan DeKok.





More information about the Freeradius-Users mailing list