How to Initiate EAP-Request Identity

JAVIER SANDOVAL javier_sandoval_ldc at yahoo.es
Wed May 6 14:30:57 CEST 2020 

 Hi,
it is clear a communication problem.
I have it working, Believe it.
I guess the problem is you think end customer EAP Identity need to change at some time for this use case, but it doesn´t. I likely explain badly the use-case.

It is not the case, you have two elements. the VPN server telling initially to the Radius server one EAP-identity that it derived from IKE-ID (as the VPN server does not explicitly ask for the EAP-Identity), and the end customer telling the Radius server its real EAP-Identity after requested by Radius.
I am happy to know I might finally get sending EAP-Identity Request from Freeradius for this case. That was part of my initial question.

Kind regards,
Javier



    En miércoles, 6 de mayo de 2020 13:56:06 CEST, Alan DeKok <aland at deployingradius.com> escribió:  
 
 On May 6, 2020, at 5:20 AM, JAVIER SANDOVAL <javier_sandoval_ldc at yahoo.es> wrote:
> Very interesting your speech but nothing to do with the real thing.

  This is fundamentally a communication problem.  You're not saying what you're doing, and you're misunderstanding what I say.

  When I say "the other end won't do what you want", your conclusion should *not* be "FreeRADIUS can't do it".  That's not what I said.  Such a response is not appropriate.

> I have the setup working with a different AAA solution in the market, there is zero problems for the windows VPN clients to work when Radius send the identity-Request. It definitely works perfectly.

  Post PCAP files.

> I have neither ideas nor opinions about EAP.

  That's clearly not true.  I suggest telling the truth.

> asking for the EAP-identity it is quite normal for several uses-cases and its is quite clear at the RFCs.

  Will the other end *change* it's identity response as you were implying?  Or, send back the same response as I suggested?

  The RFCs absolutely do not say "Oh, if you ask *enough*, then the other end will send you the *real* identity you want".

> For different reasons, I needed to asses the possibility of this use-case with Freeradius, that was all.
> 
> Freeradius is not a problem at all. I like it, I was just asking about the integration with this use-case and asking for advice.

  FreeRADIUS can do just about anything.

  You *can* make FreeRADIUS do whatever you want, including sending EAP-Identity requests.

  Alan DeKok.

More information about the Freeradius-Users mailing list