How to Initiate EAP-Request Identity

JAVIER SANDOVAL javier_sandoval_ldc at
Wed May 6 11:20:05 CEST 2020

 Hi Alan,
Just to do not mislead others that might be interested in something similar.

Very interesting your speech but nothing to do with the real thing.
I have the setup working with a different AAA solution in the market, there is zero problems for the windows VPN clients to work when Radius send the identity-Request. It definitely works perfectly.
I have neither ideas nor opinions about EAP.

asking for the EAP-identity it is quite normal for several uses-cases and its is quite clear at the RFCs.
For different reasons, I needed to asses the possibility of this use-case with Freeradius, that was all.
Freeradius is not a problem at all. I like it, I was just asking about the integration with this use-case and asking for advice.

Kind regards,

    En martes, 5 de mayo de 2020 19:10:39 CEST, Alan DeKok <aland at> escribió:  
 On May 5, 2020, at 12:55 PM, JAVIER SANDOVAL via Freeradius-Users <freeradius-users at> wrote:t may change)
>> In general, it's impossible to play games with packet state machines.  The devices implement particular state machines.  If you try to do something special / different, it generally won't work.
> That is way I asked about, I do not know freeradius capabilities.

  You misunderstood me.

  This isn't a limitation of FreeRADIUS.  It's a limitation of the protocol design, specifications, and *every* implementation.  You can't just invent packet flows and expect them to do what you want.  Protocols simply don't work that way,

>> You can't ask *again* for a different Identity.  Even if you sent an EAP Identity request back, the devices would likely (a) fail EAP entirely, or (b) ignore it, or (c) send back the same identity.
> That is what i am interested in, I do not think the device should ignore EAP Identity (no RFC compliant), no much difference for the device if it is the VPN server or the Radius server initiating the EAP-Identity Request. 

  Your opinion doesn't matter.  Microsoft and Apple have implemented *something*.  And that something follows the specs.  It doesn't follow your custom requirements, 15 years later.

  You can't complain that a system isn't "RFC compliant" when it sends an EAP-Identity, and ignores an EAP-Identity-Request in the response.  This packet flow is *not* intended by the protocol authors, and is likely also not implemented by Microsoft and Apple.

  Your idea was that if you got a "bad" EAP Identity, you could somehow request a "good" one.  Again, protocols simply don't work that way.  What you want is impossible.  For reasons I explained above.  I suggest understanding those reasons, instead of insisting that Microsoft and Apple do what you want them to do.

  It just won't happen.

>> Or, update the FreeRADIUS configuration to do identity checks based on some *other* field.  Look in the debug logs to see what's available.
> Not sure what you mean, a different attribute in the initial Radius message from the VPN server? No one has  significance neither may be correlated with any user information available in the server.

  Yes, I mean look at the RADIUS packets.  It is likely that one has significance.  Or, there's something else in the EAP messages which allows the server to determine the users identity.

  VPN servers clearly work with Microsoft and Apple clients.  Therefore, it must be possible to authenticate them.

> Thanks for the feedback Alan, from your words I assume there is no option with Freeradius for this use-case.

  That is entirely NOT what I said.  This isn't a difficult message to get across.

  When I said that the OTHER END likely won't do what you want, you should NOT conclude that the problem is FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list