How to Initiate EAP-Request Identity

Alan DeKok aland at deployingradius.com
Tue May 5 19:10:30 CEST 2020 

On May 5, 2020, at 12:55 PM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:t may change)
> 
> 
>> In general, it's impossible to play games with packet state machines.  The devices implement particular state machines.  If you try to do something special / different, it generally won't work.
> That is way I asked about, I do not know freeradius capabilities.

  You misunderstood me.

  This isn't a limitation of FreeRADIUS.  It's a limitation of the protocol design, specifications, and *every* implementation.  You can't just invent packet flows and expect them to do what you want.  Protocols simply don't work that way,

>> You can't ask *again* for a different Identity.  Even if you sent an EAP Identity request back, the devices would likely (a) fail EAP entirely, or (b) ignore it, or (c) send back the same identity.
> 
> That is what i am interested in, I do not think the device should ignore EAP Identity (no RFC compliant), no much difference for the device if it is the VPN server or the Radius server initiating the EAP-Identity Request. 

  Your opinion doesn't matter.  Microsoft and Apple have implemented *something*.  And that something follows the specs.  It doesn't follow your custom requirements, 15 years later.

  You can't complain that a system isn't "RFC compliant" when it sends an EAP-Identity, and ignores an EAP-Identity-Request in the response.  This packet flow is *not* intended by the protocol authors, and is likely also not implemented by Microsoft and Apple.

  Your idea was that if you got a "bad" EAP Identity, you could somehow request a "good" one.  Again, protocols simply don't work that way.  What you want is impossible.  For reasons I explained above.  I suggest understanding those reasons, instead of insisting that Microsoft and Apple do what you want them to do.

  It just won't happen.

>> Or, update the FreeRADIUS configuration to do identity checks based on some *other* field.  Look in the debug logs to see what's available.
> 
> Not sure what you mean, a different attribute in the initial Radius message from the VPN server? No one has  significance neither may be correlated with any user information available in the server.

  Yes, I mean look at the RADIUS packets.  It is likely that one has significance.  Or, there's something else in the EAP messages which allows the server to determine the users identity.

  VPN servers clearly work with Microsoft and Apple clients.  Therefore, it must be possible to authenticate them.

> Thanks for the feedback Alan, from your words I assume there is no option with Freeradius for this use-case.

  That is entirely NOT what I said.  This isn't a difficult message to get across.

  When I said that the OTHER END likely won't do what you want, you should NOT conclude that the problem is FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list